| rdfs:comment | - The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," a
|
| abstract | - The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," and "windows." Apparently this virus will even work even if offline. When encryption is finished, it will run a CLI command that deletes shadow volume copies, disables Windows Startup Repair, and changes BootStatusPolicy. It will then add a ransom note and the .KEY file to the desktop and other folders. The website itself is on a Tor gateway that is not publicly advertised. When accessing the site, the infection ID must be put in. When putting in the ID, it shows various payment options. Payments, however, can only be done using Bitcoins.
|
