You steal music I lock your PC --- new nasty virus out there!

[mastershake]

Today I came across a new malware (ransomware) variant in the Netherlands, and this variant is no ordinary ransomware like, Reveton, Urausy, Kovter or similar well known versions that pretends to be from the FBI, Department of Justice or other police departement. But this kind of ransomware with the message “You steal music I lock your pc” is not loaded from the systemdrive because when you disconnect the hard drive it will also display the “lockscreen” and it seems like that this malware variant has flashed the entire BIOS of the compromised system.

Another indication of a malicious BIOS modification or complete flash is the fact that the system BIOS is not accessible, and the lockscreen will appear after 2 seconds when the system is started. The screen with the message “You steal music I lock your pc” is not graphical but created with special characters and looks like a ANSI art creation.

This lockscreen is not comparable with the other ransomware variants, it don’t ask to pay a fine but it will only lock you out from booting you computer in the normal way. It seems, therefore that this malware is not designed by the cybercriminals to receive money but to make a system physically inaccessible.

Below you can see a foto with the message “You steal music I lock your pc” that is displayed on the spur of the moment after starting the computer.

On a few Dutch forums I have seen this kind of malware today, and after publishing the first message on a Dutch blog the first victims already reported this and started a thread for assistance, and for know the only things I know is dat the file lcrm.exe wil show the message that it is installed succesfully and it requires a restart of the computer. And after that it is no longer possible to start the computer normally.

Below some original links and Google translate versions of the threads.

Original

1. http://www.pcwebplus.nl/phpbb/viewtopic.php?f=206&t=10231
2. http://www.pcwebplus.nl/phpbb/viewtopic.php?f=206&t=10229
3. http://www.pc-helpforum.be/f163/you-steal-music-i-lock-your-62299

Google translate

1. http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pcwebplus.nl%2Fphpbb%2Fviewtopic.php%3Ff%3D206%26t%3D10231&act=url
2. http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pcwebplus.nl%2Fphpbb%2Fviewtopic.php%3Ff%3D206%26t%3D10229
3. http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pc-helpforum.be%2Ff163%2Fyou-steal-music-i-lock-your-62299%2F

Source: http://www.malwareremovalguides.info/you-steal-music-i-lock-your-pc-ransomware/

[DKT27]

Fixed the title a little and added the rest of the story. ;)

[Ambrocious]

Can't you reset your bios by taking out the PC battey and pressing the power button a few times and then with the battery still out, wait for about 25 minutes and then put it all together?

[mastershake]

as of right now it seems to actually either write over or erase the bios. not sure yet.

[mray88]

Wow, if it's really re-flashing the BIOS that's scary stuff! This might be one of the few times you would be happy to be using Windows 8, since any user of that OS has seen for themselves that no one in the whole entire universe has been able to understand how to change the file permissions to the extent that would be required to maliciously flash the BIOS. Not even Microsoft themselves know how to do that, although I hear they'll be correcting that in 8.2 :lol:

It would be interesting to learn if those that have gotten what you believe to be a virus were using AV, and if so which one's allowed it through anyway.

Can't you reset your bios by taking out the PC battey and pressing the power button a few times and then with the battery still out, wait for about 25 minutes and then put it all together?

--- Ambrocious, I may be wrong but I was under the impression doing what you mentioned would re-set the BIOS (on some, not all systems) to its factory default settings. However, that would probably not supercede BIOS that had been re-flashed altogether. For example, were I to upgrade the BIOS on a Dell, then attempt to do the procedure you discuss, it would change some of the BIOS settings (like system date and time), but it wouldn't undo the updated flash and bring it back to it's original out-of-the-box state. So if these machines were re-flashed with this malware, pulling the battery won't flash it once again to its original state.

[Beamslider]

Does it block BIOS recovery mode too?

Some BIOS allow to set nonflash mode....Is it getting around that as well?

[Whoopenstein]

Well, if all else fails and the computer is bricked, you can pull the BIOS chip out and have it re-flashed. There are places that will do that for you ($15-$20). If it's a laptop, it will be harder to get the IC out though - and then pray that it's in a socket and not soldered directly on the board (even those can be removed by a skilled solderer with the right tools though).

[Cerberus]

You should be able to re flash the bios with the firmware from the manufacture of the computer....will have to do it from dos but should be possible. I would like to see the hex dump of the bios before and after to really see what it does....I am curious. Sounds to me this rewrites the bios and inserts his own personal image to replace the manufactures then locks you out.

[Whoopenstein]

Cerberus - if the bios is really toasted, you won't be able to boot from any disk. In other words, you won't be able to run the flash program.

[dcs18]

This is where DualBIOS (on select motherboards) is a life-saver - just restore the main BIOS from the secondary one. 8)

[SnakeMasteR]

You'll need one of those...

:rofl:

I think that one is similar
http://en.wikipedia.org/wiki/CIH_(computer_virus)

[dcs18]

It's surprising they decided to classify this one as a RansomWare. :dunno:

[Dodel]

Dual bios is a saviour in these instances, simply switch jumpers (not the wooly ones!).

[LiLmEgZ]

Wow, sounds very petty... It will wreak havoc if it reaches widespread in USA

I wonder how soon they will get the AV Vendors to make definitions that detect this thing...

Supposedly as said in the article its "lcrm.exe" so maybe they AVs will be able to even block this file from executing soon!

[jimbojet2011]

When you have this one you are really scruwed

I think that one importend option is to secure the bios from "automatically flash the bios"

This will stop the flash from within Windows

[dcs18]

I'm also guessing that even those who do not own a DualBIOS might find relief from this monster after flashing their BIOS again with an higher or even the same version. :think:

Makes all the more sense to store a copy of the latest BIOS in a (appropriately formatted) USB flash-drive or floppy.

[Dodel]

I'm also guessing that even those who do not own a DualBIOS might find relief from this monster after flashing their BIOS again with an higher or even the same version. :think:

Makes all the more sense to store a copy of the latest BIOS in a (appropriately formatted) USB flash-drive or floppy.

Indeed true, however if the bios won't boot past post, there's no way to restore a backed up version, which makes this more of a concern.

[tezza]

According to a thread on Wilders this is looking to be a hoax at the moment.

[Dodel]

According to a thread on Wilders this is looking to be a hoax at the moment.

The thought had crossed my mind this morning when I first read this. The way I understand a bios to work is that it has to match VERY specific criteria before you can even attempt a flash, and given there are a plethora of mobo models combined with various versions of manufacturers own bios, I would expect it to be very difficult to create a generic flashing tool and bios dat file.

If whoever come up with this did manage to create the above, it would have been done to purely cause financial damage to the owner of said system.

I could well be mistaken however, maybe it sits on the mbr or 1st sector.

[DKT27]

According to a thread on Wilders this is looking to be a hoax at the moment.

Haven't checked WS, but undoubtedly.

[Whoopenstein]

In reply to n0_risk!'s posted video - Yes, once the PC is booted, I've heard you can "hot plug" the BIOS IC in and out of the socket. I've also heard of people making a backup of their BIOS this way. Start up PC - unplug BIOS IC - plug in blank IC - run BIOS flash program - program the blank BIOS IC with ROM image.

I would do this with extreme caution though. You never know when things can go wrong when hot plugging.

[tezza]

Today on Security.nl, their first newsitem.

"Unknown Bios-virus is very likely a hoax"

"When the various forum administrators compared the IP addresses of the 'victims', all proved to be the same, as Ted Emmerich of [dutch] PCWebPlus[.nl] has posted on the forum of Tweakers[.net]."

http://www.pcwebplus.nl/phpbb/viewtopic.php?f=213&t=10242

http://translate.google.nl/translate?sl=nl&tl=en&js=n&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fwww.pcwebplus.nl%2Fphpbb%2Fviewtopic.php%3Ff%3D213%26t%3D10242

Edit

YooSecurity has published a Fake video on YouTube.

-http://www.youtube.com/watch?v=w38iNK72AwU-

[Avitar]

Load schp1007.bin to blank ntfs USB and fn+esc ftw. google crysis mode.

[dMog]

fake videos..on the internet..i do not believe it... :rolleyes: