Not long ago, my colleague (Nguyen Hong Quang) wrote an entry about a cyber fraud by Russian hackers . Reading that entry, I supposed hackers would continue to expand this fraud in the coming time. As I expected, recently our HoneyPot has collected numerous virus samples used for such sort of scams, but with a new scenario and on a much larger scale.
If previously, such malwares fake porn videos, this time, they forge the installer and updater of established software like Adobe Flash player, Firefox. Credulously running the “software”, you will notice a warning “Windows license locked” upon your next startup. However, this warning is actually a fake notice created by the malwares. This window emerges right after you log onto the system, and it is set at full screen mode, which debars you from closing or switching to other windows, including Windows’ task manager. Your computer then no longer can be used.
Figure 1: Warning windows set at Top mode, unable to close
Still threatening words in the window: “Windows license locked… system reinstallation may lead to the loss of personal data”, but this menace is unreal. Such warning, if previously is merely in Russian, this time it appears in various languages, showing hackers’ increasing “ambition”. :D
After “threatening” words is the instruction how to escape the trouble, in return for money. This time, the prank fakes Microsoft’s Windows Activation by phone:
Figure 2: Fake Windows activation by phone
In this window, hacker provides quite detailed instructions from how to make a call from home phone, from mobile phone to how to enter the code correctly with a view to fool users more easily.
Curious about this system, I turn myself a prey, making a call. After a while trying all the numbers provided, finally, I managed to connect to a number with Danish country code. I heard a female voice from the switchboard: “Hello, welcome to our activation system … Enter your code. Our system will send you the activation key”.
Even with the detailed instructions how to enter the code, I still failed to get the windows activation key after 3 continuous times trying.
This means there is no activation key, and the more you call, the more money you lose.
If unfortunately falling victim to this trick, you do not need to worry too much, and do not try to call these numbers as well. The warnings will self-destroy 3 days later, possibly after gaining a whopping amount of money from your phone calls.
Figure 3: Hacker schedules a task to run virus within 72 hours after user’s logon.
It would be annoying if you have to turn on your computer and wait for 3 days, which obviously results in your work disruption. Therefore, to ensure the comprehensive protection for your computers against such kinds of virus, you are recommended to use licensed antivirus software with update on a regular basis.
P/S: Reversing the recent virus’ variants, I discovered that they only use one activation key hard coded: “1351236”.
Nguyen Cong Cuong
Senior Malware Researcher