>
Cybersecurity researchers have put forward another reason not to browse dodgy adult websites: some spread viruses (opens in new tab) capable of completely destroying computers.
Recently, Cyble experts discovered a number of websites whose domain names suggest they could contain pornographic material. Once someone navigates to these sites, he or she will be prompted to download a file called “SexyPhotos.JPG.exe”.
While this would set off every mental alarm imaginable for the experienced Internet user, those not so well versed could fall into the trap, especially since Windows hides file extensions by default.
Ransomware or Erasers?
When activated, the file drops four executables — del.exe, open.exe, windll.exe, and windows.exe — as well as one batch file named avtstart.ba in the temporary folder on the target endpoint.
Each file plays a unique role in this attack, but in general this all looks like a ransomware attack: the victim’s files are renamed and blocked, and a ransom note is left, containing $300 in Bitcoin or $600 is demanded if payment does not arrive within three days.
But the bigger problem is that this isn’t a ransomware attack to begin with, but rather a file-wiping malware attack, whose operators have no intention of returning files to victims.
“Even if a decryptor is provided, it is impossible to rename files to their original filenames, as the malware (opens in new tab) makes no sense during the infection,” Cyble explains.
There is a way the eraser effects can be undone, BleepingComputer has found. Apparently, the wiper does not delete shadow copies, allowing users to restore their operating system to an earlier state. In other words, restoring the operating system from an older backup may solve the problem.
Through BleepingComputer (opens in new tab)