Ransom Trojan KDV.153863 – Call Me, Pay The Fee, And I’ll Unlock Your Kidnapped Windows System

imageRansomware is a vicious form of malware, given that that it generally encrypts the victim’s files, or restricts the user’s ability to access the computer in some way. Payment of a ransom fee is the commonality in all ransomware attacks.

According to F-Secure, a new form of ransomware (KDV.153863), which reportedly locks the victim’s computer, leaving the machine essentially unusable, is currently circulating on the Internet .

An infection by KDV.153863 will lead to the following boot screen.

image

Graphic courtesy of F-Secure – click to expand.

In line with previous versions of this type of malware, an unlock code can be had (ostensibly for free), by following a set of specific instructions.

The following graphic sets out the method to be followed by the victim to obtain an activation code. The activation code does, in fact, unlock the victim’s computer. Cybercriminals with a conscience, or just good business strategy?

image

Graphic courtesy of F-Secure – click to expand.

You’ll notice in the screenshot that all of the available telephone numbers are international, and it’s by way of this recovery construction that the cyber crook profits.

The Trojan author, collaborating with rogue call center operators, has designed a four minute message routine which the victim is forced to listen to while exorbitant long distance toll fees are being generated. Similar, in a sense, to the old 900 premium-rate telephone number scams  Apparently, these fees are shared between the cyber crook and the call center operators.

Following the forced four minute message routine, the victim is given an unlock code (1351236) which, according to F-Secure, appears to be the same every time the number is called.

We’ve been dealing with this type of malware, on and off, for years. If previous experience is any indication (and it is), we can expect to see more of this type of malware, in a more general release, through the balance of this year.

Reduce the possibilities of infection by this and other malware, by taking the following precautions:

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data. If you are infected this may be your only solution

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

Don’t store critical data on the system partition

Adhering to the best practices, as noted above, is no guarantee that your system won’t be penetrated. All things considered, running your computer in virtualization mode, while surfing the Net, is highly recommended.

Please read Free BufferZone Pro – Maybe The Best Surfing Virtualization Application At Any Price, on this site, for information on virtualization.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

12 Comments

Filed under Cyber Crime, Cyber Criminals, cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Security Alerts, Malware Advisories, Malware Alert, Ransomware, Software, trojans, Windows Tips and Tools

12 responses to “Ransom Trojan KDV.153863 – Call Me, Pay The Fee, And I’ll Unlock Your Kidnapped Windows System

  1. TRY

    Thanks Sir,

    Once bitten, Twice shy! 😉

    http://sunbeltblog.blogspot.com/2011/03/network-crime-ransomware-on-line-please.html


    Maybe the code – 1351236 given in the youtube link might work like in its last version 😛

    I’m sure Malwarebytes AntiMalware Pro in realtime will surely stop this ransonware dead in its track before it takes over the system.

    Of-course Bufferzone Pro will take care as well.

    Regards

    • Hey Try,

      Yes, I agree, Bufferzone Pro provides a layer of protection needed to handle this sort of penetration.

      Thanks for the vid link. Incidentally, the code in the video is the same code used in this new version.

      Best,

      Bill

  2. Murphy

    Hi,
    Good article .
    Best regards !

  3. Cappydog

    Hi Bill,

    Nice article! I myself wrote down that code for future reference just in case I get a call from a friend. The key word here is “LAYERS”.

  4. Hi Bill,
    Thanks for posting this article.

    These are great steps to avoid this kind of thing but it still looks like the best protection we have is what you have been saying for years.

    The User behind the keyboard being smart and understanding that being on the computer on or off the net is something to be taken seriously.

    Thanks again

    TeX

    • Hey TeX,

      As you rightly point out – “being on the computer on or off the net is something to be taken seriously”. Increasingly so, it seems.

      Best,

      Bill

  5. Mal

    Hey Bill,
    Mongrels, aren’t they. Great advice, and you beat me to the punch by adding the part about virtualization, my favourite security topic at the moment. The whole idea of virtualization is to take care of crap like this. Good post.
    Cheers
    Mal

    • Hey Mal,

      They’re Mongrels – for sure. Worse descriptions might apply but, this is a family friendly site. 🙂

      As you know, at one time virtualization was a tough row to hoe – but no longer. With the number of choices now available around easy to understand and operate virtualization apps, many of which are free, it’s never been easier for typical users to boost their Internet safety.

      Best,

      Bill

  6. jim

    Hey i have been hit with a similar virus but it is only asking for 5 digits. I was wondering if anybody has had the same ransom trojan and has the code. the first two phone #’s are 00263778289408
    002392216542
    if that helps to identify it.
    any help would be greatly appreciated as i have no landine.

    thanks,
    Jim

    • Hi Jim,

      I can’t offer you any direct help on this since, as far as I can see, the recovery code has not been published. You can checkout this Microsoft page on which others are dealing with the same Trojan. There may be some info you can use.

      It may be that a reader here, has an answer but….

      Good luck.

      Bill