Jump to content

You steal music I lock your PC --- new nasty virus out there!


mastershake

Recommended Posts

mastershake

Today I came across a new malware (ransomware) variant in the Netherlands, and this variant is no ordinary ransomware like, Reveton, Urausy, Kovter or similar well known versions that pretends to be from the FBI, Department of Justice or other police departement. But this kind of ransomware with the message “You steal music I lock your pc” is not loaded from the systemdrive because when you disconnect the hard drive it will also display the “lockscreen” and it seems like that this malware variant has flashed the entire BIOS of the compromised system.

Another indication of a malicious BIOS modification or complete flash is the fact that the system BIOS is not accessible, and the lockscreen will appear after 2 seconds when the system is started. The screen with the message “You steal music I lock your pc” is not graphical but created with special characters and looks like a ANSI art creation.

This lockscreen is not comparable with the other ransomware variants, it don’t ask to pay a fine but it will only lock you out from booting you computer in the normal way. It seems, therefore that this malware is not designed by the cybercriminals to receive money but to make a system physically inaccessible.

Below you can see a foto with the message “You steal music I lock your pc” that is displayed on the spur of the moment after starting the computer.

You%20steal%20music%20i%20lock%20your%20

On a few Dutch forums I have seen this kind of malware today, and after publishing the first message on a Dutch blog the first victims already reported this and started a thread for assistance, and for know the only things I know is dat the file lcrm.exe wil show the message that it is installed succesfully and it requires a restart of the computer. And after that it is no longer possible to start the computer normally.

Below some original links and Google translate versions of the threads.

Original

  1. http://www.pcwebplus.nl/phpbb/viewtopic.php?f=206&t=10231
  2. http://www.pcwebplus.nl/phpbb/viewtopic.php?f=206&t=10229
  3. http://www.pc-helpforum.be/f163/you-steal-music-i-lock-your-62299

Google translate

  1. http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pcwebplus.nl%2Fphpbb%2Fviewtopic.php%3Ff%3D206%26t%3D10231&act=url
  2. http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pcwebplus.nl%2Fphpbb%2Fviewtopic.php%3Ff%3D206%26t%3D10229
  3. http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pc-helpforum.be%2Ff163%2Fyou-steal-music-i-lock-your-62299%2F

Source: http://www.malwareremovalguides.info/you-steal-music-i-lock-your-pc-ransomware/

Link to comment
Share on other sites

  • Replies 23
  • Views 2.7k
  • Created
  • Last Reply
  • Administrator

Fixed the title a little and added the rest of the story. ;)

Link to comment
Share on other sites

Ambrocious

Can't you reset your bios by taking out the PC battey and pressing the power button a few times and then with the battery still out, wait for about 25 minutes and then put it all together?

Link to comment
Share on other sites

mastershake

as of right now it seems to actually either write over or erase the bios. not sure yet.

Link to comment
Share on other sites

Wow, if it's really re-flashing the BIOS that's scary stuff! This might be one of the few times you would be happy to be using Windows 8, since any user of that OS has seen for themselves that no one in the whole entire universe has been able to understand how to change the file permissions to the extent that would be required to maliciously flash the BIOS. Not even Microsoft themselves know how to do that, although I hear they'll be correcting that in 8.2 :lol:

It would be interesting to learn if those that have gotten what you believe to be a virus were using AV, and if so which one's allowed it through anyway.

Can't you reset your bios by taking out the PC battey and pressing the power button a few times and then with the battery still out, wait for about 25 minutes and then put it all together?

--- Ambrocious, I may be wrong but I was under the impression doing what you mentioned would re-set the BIOS (on some, not all systems) to its factory default settings. However, that would probably not supercede BIOS that had been re-flashed altogether. For example, were I to upgrade the BIOS on a Dell, then attempt to do the procedure you discuss, it would change some of the BIOS settings (like system date and time), but it wouldn't undo the updated flash and bring it back to it's original out-of-the-box state. So if these machines were re-flashed with this malware, pulling the battery won't flash it once again to its original state.

Link to comment
Share on other sites

Beamslider

Does it block BIOS recovery mode too?

Some BIOS allow to set nonflash mode....Is it getting around that as well?

Link to comment
Share on other sites

Whoopenstein

Well, if all else fails and the computer is bricked, you can pull the BIOS chip out and have it re-flashed. There are places that will do that for you ($15-$20). If it's a laptop, it will be harder to get the IC out though - and then pray that it's in a socket and not soldered directly on the board (even those can be removed by a skilled solderer with the right tools though).

Link to comment
Share on other sites

You should be able to re flash the bios with the firmware from the manufacture of the computer....will have to do it from dos but should be possible. I would like to see the hex dump of the bios before and after to really see what it does....I am curious. Sounds to me this rewrites the bios and inserts his own personal image to replace the manufactures then locks you out.

Link to comment
Share on other sites

Whoopenstein

Cerberus - if the bios is really toasted, you won't be able to boot from any disk. In other words, you won't be able to run the flash program.

Link to comment
Share on other sites

This is where DualBIOS (on select motherboards) is a life-saver - just restore the main BIOS from the secondary one. 8)

Link to comment
Share on other sites

Dual bios is a saviour in these instances, simply switch jumpers (not the wooly ones!).

Link to comment
Share on other sites

Wow, sounds very petty... It will wreak havoc if it reaches widespread in USA

I wonder how soon they will get the AV Vendors to make definitions that detect this thing...

Supposedly as said in the article its "lcrm.exe" so maybe they AVs will be able to even block this file from executing soon!

Link to comment
Share on other sites

jimbojet2011

When you have this one you are really scruwed

I think that one importend option is to secure the bios from "automatically flash the bios"

This will stop the flash from within Windows

Link to comment
Share on other sites

I'm also guessing that even those who do not own a DualBIOS might find relief from this monster after flashing their BIOS again with an higher or even the same version. :think:

Makes all the more sense to store a copy of the latest BIOS in a (appropriately formatted) USB flash-drive or floppy.

Link to comment
Share on other sites

I'm also guessing that even those who do not own a DualBIOS might find relief from this monster after flashing their BIOS again with an higher or even the same version. :think:

Makes all the more sense to store a copy of the latest BIOS in a (appropriately formatted) USB flash-drive or floppy.

Indeed true, however if the bios won't boot past post, there's no way to restore a backed up version, which makes this more of a concern.

Link to comment
Share on other sites

According to a thread on Wilders this is looking to be a hoax at the moment.

The thought had crossed my mind this morning when I first read this. The way I understand a bios to work is that it has to match VERY specific criteria before you can even attempt a flash, and given there are a plethora of mobo models combined with various versions of manufacturers own bios, I would expect it to be very difficult to create a generic flashing tool and bios dat file.

If whoever come up with this did manage to create the above, it would have been done to purely cause financial damage to the owner of said system.

I could well be mistaken however, maybe it sits on the mbr or 1st sector.

Link to comment
Share on other sites

  • Administrator

According to a thread on Wilders this is looking to be a hoax at the moment.

Haven't checked WS, but undoubtedly.

Link to comment
Share on other sites

Whoopenstein

In reply to n0_risk!'s posted video - Yes, once the PC is booted, I've heard you can "hot plug" the BIOS IC in and out of the socket. I've also heard of people making a backup of their BIOS this way. Start up PC - unplug BIOS IC - plug in blank IC - run BIOS flash program - program the blank BIOS IC with ROM image.

I would do this with extreme caution though. You never know when things can go wrong when hot plugging.

Link to comment
Share on other sites

Today on Security.nl, their first newsitem.

"Unknown Bios-virus is very likely a hoax"

"When the various forum administrators compared the IP addresses of the 'victims', all proved to be the same, as Ted Emmerich of [dutch] PCWebPlus[.nl] has posted on the forum of Tweakers[.net]."

http://www.pcwebplus.nl/phpbb/viewtopic.php?f=213&t=10242

http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pcwebplus.nl%2Fphpbb%2Fviewtopic.php%3Ff%3D213%26t%3D10242

Edit

YooSecurity has published a Fake video on YouTube.

-http://www.youtube.com/watch?v=w38iNK72AwU-

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...