When in Rome Do as the Romans Do
‘It has been said that arguing against globalization is like arguing against the Laws of Gravity’ – Kofi Annan (former UN Secretary General).
It appears malware writers have begun to take globalization to heart. You might recall an earlier blog post which highlighted the fact that malware authors were failing to tailor their malware to the OS locale. They seem to be learning and correcting their errors.
Here at K7TCL we came across a malware sample that upon execution seems like yet another example of ransom-ware (Winlocker to be specific). The malware displays a fake system crash message as shown below:
It is unlikely to matter to a layman but FYI the memory address 0x3BC3 is in the range generally reserved for MS-DOS features rather than modern system process code so, from a technical viewpoint, the message is clearly bogus.
In the above case access to the computer is denied until the victim enters a ‘deactivation key’, which needs to be requested from the attacker, by dialing telephone numbers that seem to originate from the African continent.
Interestingly, examining the strings inside the malware reveals that the above fake message is available in several languages. Playing around with the ‘Regional and Language Options’ in control panel and then executing the malware resulted in the following:
From the above screen shots it is clear that malware authors are investing significant resources in creating the world’s local malware. By covering a few more languages, the malware authors have now managed to expand their potential targets across multiple continents, thereby probably increasing their revenue by several folds.
One can only speculate about the stage at which the victim loses his/her money, whether on entering the ‘deactivation key’ the malware would actually release the system, and whether the malware would return at a later stage to trouble the user some more.
This threat is detected as Password-Stealer (0028ee481) by K7 Total Security.