An unauthorized program that intimidates Japanese with "I will erase the data if not clicking", camouflaged as "Skype"



Some malicious programs such as computer viruses behave differently, but "If you do not click it will erase the dataIt was revealed that a malicious program threatening in Japanese language appeared.

It is surprising that "English sentences suddenly do not understand well" is surprised enough, but it may be that there is an unnecessary impact as it is a word that can be read as a stiff paper.

Details are as below.
"Turn off data if you do not click" Warn in Japanese Malware | Trend Micro Security Blog (Trend Micro Security Blog by virus analyst)

According to Trend Micro's official blog, familiar in security software "OfficeScan" series, the company is "TrendLabs (Trend Lab)" that aggregates threat information from all over the world and provides countermeasure technology, collecting threat information closely to the area "Regional Trend Lab" is set up in a total of 12 locations around the world, and it seems that they are monitoring the threat trend of the Internet on a 24-hour basis.

And although there are many confirmed the existence of target type (target type) attack targeting users of Japan and fake security software of Japanese notation at present, the regional trend of Japan which started operation in Tokyo headquarters in 2007 In the lab, in February 2011 specimens of a new malicious program with characteristic Japanese warning screen were confirmed.

This is a malicious program. SkypeStartUp0.exe "with the filename of" Skype "install module and invade into the computer. Intrusion routes are expected to be downloaded from websites or distributed by mailed users by infected users.


When executing the module, the intimidation sentence titled "Starting up" will be displayed, "If you do not click, you will erase all data on the computer". In addition, it is estimated that the purpose next to the intimidation sentence is a link to a real website, and it is a purpose to get affiliate income by clicking.


The text of the intimidation sentence looks like this.

If you do not click ← you will erase all of your computer's data
Later, we will disclose all personal information along with data deletion
It's a click until the Internet page opens? Of course I understand ...
Later, I will exterminate the virus specially if I infect other people (50 people) with this virus. (50 people after)


When you press the "Close" button, the dialogue "Are you sure you really want to close?" Is displayed, but even if you press either "Yes" or "No" the process resides. Activities such as registration on startup, file creation, registry change, etc. are not performed, so the content of intimidation statements such as "deletion of data and disclosure of personal information" will not actually happen.


Also checked for malicious program with file name "Yahoo Mail 0. Exe" reminiscent of "Yahoo! Mail" application for "Yahoo!" mail service.


When the user runs the screen "Please wait a while" is displayed, and the advertisement of the external site is displayed in the window.


I tried to close it. Although the intimidation statement is not displayed, the screen saying "Do you really want to close?" Is displayed and the process remains resident, regardless of whether "Yes" or "No", file creation or registry creation is not done The activities are common.


By the way, in the regional trend lab analysis, it is estimated that the programming ability of the author is not so high, but it is obvious that it is aimed at monetary gain from the point of finally guiding it to the affiliate site, We can not deny the possibility that a program will appear.

Trend Micro encourages you to calmly deal with it in the same way as fake security software etc. if the same kind of thing happens due to new kinds of malicious programs and so on.

in Note, Posted by darkhorse_log