Online Ad Campaigns Mimicking as the CryptoLocker

CryptoLocker is a recently discovered Windows malware that encrypts user data and makes it unusable. It demands the user for a certain amount of money (ransom) to decrypt the data. As of December, 2013, the creators of CryptoLocker were able to pull in $30 million in just 100 days. So, in what may be called an attempt to ride this cashcow, is a malware recently discovered by Quick Heal. Here is a quick snippet about it.

How the Malware Works
Quick Heal detects this malware as FraudTool.Legtot.A3. The malware basically pretends to do something similar to what the CryptoLocker does to the data of the targeted user.

When executed, the malware copies itself to Appdata folder with a name ‘svhost .exe’. Its name is displayed as CrytoLocker to the user. The malware kills all running applications in the computer including Explorer. It adds AutoRun entries which enables it to execute automatically whenever the machine is started.

The malware then shows a prompt as shown in the image below:

Cryptolocker_New1

Does the Malware Encrypt User Files for Real?
In reality, the malware does not encrypt any file in the user machine. By displaying a message as shown above, it takes advantage of the fear that most people have about the Cryptolocker. What the malware does is, it prevents the user from accessing the system by continuously monitoring running applications and killing them.

What Happens if User Responds to the Message?
If the user clicks the ‘Open Survey‘ link in the message box, it opens up a browser with various ad campaigns which go through the following sites:

totally-legit.bizfilesquick.netglispa.com which serves ads from OLX, Shophunk, BigFlix and even suggest apps such as WeChat.

SMSSurvey

An example of the ad campaigns targeted by this malware is shown below. This advertisement on shophunk.com allures users to buy mobiles at unbelievably cheap prices by participating in a contest.

shophunk_fraud

These ads indicate that malware authors are taking advantage of Affiliate Interfaces such as glispa.com and social engineering.

Another example of an ad campaign targeted by the malware is one from BigFlix Entertainment which claims to offer unlimited movie streaming for the first month of subscription at just Rs.1. (See image below)

bigflix

Users are strongly advised not to get allured by such too-good-to-be-true advertisement campaigns and end up paying money to fraudulent online shopping sites. To block fraudulent and phishing websites that steal user information, try Quick Heal Internet Security which offers real-time web protection from online threats.

 

Rajesh Nikam

Rajesh Nikam


14 Comments

Leave a Reply to Ajay Cancel reply

Your email address will not be published.

CAPTCHA Image

  1. Avatar James GeorgeMarch 11, 2014 at 4:00 PM

    The informations about “Cryptolocker” mimics and Ad campaigns, where malware authors are taking advantage of Affiliate Interfaces .Very happy to learn about a possible threat.Refrain from responding to such too-good-to-be-true advertisement campaigns and ending up paying money to fraudulent online shopping sites.Thank you for the alert.No worries at all for me,in this regard.My system is protected with Quick Heal Internet Security which detects this malware .
    Be a proud owner of Quick Heal.Thank you Quick Heal

    Reply
  2. quick heel is excellent that’s all in one word

    Reply
  3. This info can be found anywhere. But what about the lost data?

    The data really got encrypted as suggested by “QUICK HEAL SUPPORT”.

    I have 4 systems in my network. One got hit by this “cryptolocker” and within two days my all data was lost(corrupt) from whole network.
    Customer care says Quick Heal will detect virus next time it comes. But after one month same situation is here. I have “QH TS 2014” even with latest virus database I don’t feel safe enough.

    What should I do now?
    Whom do I ask for help?

    Note:
    All systems have genuine windows 7 with latest updates.

    Reply
    • Rajiv Singha Rajiv SinghaMarch 12, 2014 at 10:17 AM

      Hi Ajay,

      It is unfortunate that you lost your data because of the Cryptolocker. We request you to contact our technical support team so that they can analyze the issue and provide you with a solution. You can get in touch with the team at 0-927-22-33-000.

      Regards,

      Reply
      • I’ve contacted your support team. They found nothing and in addition they told me that virus was removed automatically after corrupting my data by its self.

        Now, I Had to format all systems and recreate all data which was such a pain.

        But my question is “why I had to suffer from this issue?”

        Even with latest updates of both Quick Heal and Microsoft.

        Microsoft told me that it is “clearly a virus problem”.

        Should I trust Quick Heal for safety and Security?

        Reply
  4. vary nice…..

    Reply
  5. Avatar Shyam LagadMarch 11, 2014 at 9:35 PM

    Thanks for information

    Reply
  6. Avatar prakash.n.gohilMarch 11, 2014 at 10:15 PM

    quick hill security’s I am happy an superb

    Reply
  7. Avatar vishalvkherMarch 11, 2014 at 11:25 PM

    Good information thanks for your updation..

    Reply
  8. thank you…

    Reply
  9. Avatar Abhilash PandyaMarch 12, 2014 at 10:30 AM

    QUICK HEAL Anti Virus Software is Very Good Software of All other Anti Virus Software.

    Reply
  10. Avatar yogesh yadavMarch 12, 2014 at 2:35 PM

    Thanks for information

    Reply
  11. Avatar Dr D AcharyaMay 18, 2014 at 12:31 PM

    I have been using Quick Heal total security and it has been working fine.I had been using paid versions of Kaspersky and with their poor services many a time my computer crashed due to virus.

    Reply
  12. Avatar Dr D AcharyaMay 18, 2014 at 12:32 PM

    My experience with the Quickheal total security has been good. I had a tough time when using Kaspersky due to their poor services.

    Reply