Fake Kaspersky site host ransomware

Distributes through fake Kaspersky site (hxxp://www.kaspepsky.ru).
Very detailed copy.

"internetsecurity.updater.exe"

When installed it display a shortcut on your desktop
Who when clicked reboot your computer:

Autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell as c:\windows\system32\explorerr.exe

 
Ransomware pictures:

main window:

Number to call: 89261072166
Mail to send: ya-snimu-ego@yandex.ru

Unblock is kinda problematic because of:

  .method public void Ok_Click(class System.Object a, class System.Object b)
  {
    ret
  }

(And yeah it's DotNet lol)
So for unlock windows, press: ALT+F4 simultaneous

Note: Dont forget to re-enable Task Manager

1.bat:

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

1.reg:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

The file "odnoklassniki.exe" is also a ransomware dropper who use the same technics.
Main window:

Whois ~ kaspepsky.ru

[Querying whois.ripn.net]
[whois.ripn.net]
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: KASPEPSKY.RU
nserver: ns3.hosting.reg.ru.
nserver: ns4.hosting.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Artem O Koptev
phone: +79269371927
e-mail: next-999@mail.ru
registrar: REGRU-REG-RIPN
created: 2010.12.15
paid-till: 2011.12.15
source: TCI

Last updated on 2011.01.14 01:20:46 MSK/MSD