I got Spam?!

A new Trojan making the rounds offers a new twist-it takes over your desktop and won't go away unless you pay $35! Call it ransomware. The Trojan, called Backdoor.Win32.Delf.ctk, locks the user out of their desktop and displays this full screen, poorly spelled warning:

"ERROR: Browser Security and Antiadware Software component license exprited!"

It goes on to a grammatically nightmarish explanation of what could happen if you don't renew this supposed "license".

(It also assumes the user enjoys surfing porn sites!). Clicking on "Click to activate new license" prompts the user to call a 900 number in order to fork over their $35, and offers two international numbers in case they have any problems. The 900 number appears to belong to a payment processor used by porn sites. Sunbelt Software has provided a screen by screen walkthrough here. Unfortunately, while the bad spelling and grammar are a clear tip off that it's a scam, by the time any of your users are viewing the "warning" it's too late. The only way to regain control of the infected system is to pay the $35. None of the big anti-virus vendors have come up with a removal tool yet, and it's not clear if the Trojan can be eliminated by a hard drive reformat. This new trend is definitely one to keep a very close eye on!

• Successful Spammers To Get More Time in the Slammer
• FTC Issues Report on Malicious Spam and Phishing
• FBI's "Operation Bot Roast" Nets Eight Arrests
• McAfee Releases GroupShield for Microsoft Exchange
• Spikes In Spam Put Your Business at Risk
• Protecting Your Server From Rootkits
• BitDefender Announces 2007 Top 10 Lists
• BotNet Hitting Networks Hard
• Kaspersky Security 6.0 For Exchange Server 2007 Beta Released
• Botnets-How They Work and What They Can Do
• Happy New Year from IGotSpam?!
• Spam Filters-Desktop or Server Based?
• Anti-anti-spam spam: Spam is becoming plain silly
• December State of Spam Report

Filed under: Malware Tags: by admin Date 3 January, 2008