Cybersecurity researchers have highlighted another reason not to browse dodgy adult websites: some of them are distributing viruses (opens in new tab) capable of completely destroying computers.
Recently, experts from Cyble discovered a couple of websites, whose domain names suggest they could feature pornographic materials. As soon as someone navigates to these sites, they are prompted to download a file named “SexyPhotos.JPG.exe”.
While for the experienced web user this would trigger every mental alarm conceivable, people who are not as well-versed might fall for the trap, particularly as Windows hides file extensions by default.
Ransomware or wipers?
When triggered, the file drops four executable files – del.exe, open.exe, windll.exe and windows.exe – as well as one batch file called avtstart.ba into the temporary folder on the target endpoint.
Each file has a unique role to play in this attack, but in general, this is all made to look like a ransomware attack: the victim’s files are renamed and blocked, and a ransom note is left behind, demanding $300 in Bitcoin or $600 if the payment doesn’t come within three days.
But the bigger problem is that this isn’t a ransomware attack to begin with, but rather a file-wiping malware attack, whose operators have no intention of returning any files to the victims.
“Even if a decryptor is provided, renaming files to their original file name is impossible as the malware (opens in new tab) is not storing them anywhere during the infection,” Cyble explained.
There is one way the effects of the wiper could be reversed, BleepingComputer has found. Apparently, the wiper doesn’t delete shadow copies, allowing users to restore their operating system to a previous state. In other words, restoring the OS from an older backup may resolve the problem.
Via BleepingComputer (opens in new tab)