Pegasus Research Consortium

Is that the one that really encrypts the files or the more common fake one that is easy to circumvent (at least on Windows)?

Quote from: ArMaP on May 24, 2014, 08:25:44 PM
Is that the one that really encrypts the files or the more common fake one that is easy to circumvent (at least on Windows)?

Greetings:

Considering the fact that we were able to document the event, and are now posting here, it appears that it may be the more common fake one.

From outward appearances, it appears that any effects, real or imagined, have been side-stepped, nullified, or otherwise circumvented.   :P

Or it died of boredom not being able to replicate on this legacy (non-Intel) Mac.    ;)

Such a nice scam, I wonder how many people pay for it. This is very similar to the one that got me from Germany. So now it is the FBI. Wonder what they think about it? It never encrypted any files just moved the windows main page off the start up program. Which just about kills anything you can do with windows. I got a nice blank page to play with. But dear old Skype still worked through most of that problem. I had to run explorer out of my hard drive and not the main window. Fun.

Quote from: thorfourwinds on May 25, 2014, 03:33:02 AM
Or it died of boredom not being able to replicate on this legacy (non-Intel) Mac.    ;)

It doesn't replicate, that's probably one of the reasons it isn't detected as a virus.
As far as I know (not gospel :P ), both the real and the fake versions are for Windows only, as the real encrypts files on Windows folders and both versions register themselves to be run at start up, which is done in different ways for different operating systems.

A legacy Mac is probably the most secure system now, as the virus makers probably already forgot about them. :)

Quote from: deuem on May 25, 2014, 04:23:51 AM
Such a nice scam, I wonder how many people pay for it.

Many.

Two years ago, when it appeared here in Portugal, the Portuguese police had a warning on their site telling people not to pay. In the company where I work we had two people bringing their computers and asking if they had to pay, while we had some 8 that just brought the computer to remove the problem, so I guess (yes, it's just a guess) maybe 10% of the people affected at least think about paying.

QuoteThis is very similar to the one that got me from Germany. So now it is the FBI.

The law enforcement agency changes according (probably) to the location associated with the IP address, here in Portugal we got a warning from the Portuguese police, along with a some official looking images.

QuoteIt never encrypted any files just moved the windows main page off the start up program.

Yes, that's the fake one, it just registers itself as a start-up program in Windows and blocks everything, but booting in safe mode with command line allows us to remove it from the start-up section.

Greetings:

Thank you ArMaP for all that quality information. (bows)

The question that still is unanswered:

Why THIS particular file? (trench for water diversion at Fukushima, see above)

It would seem to cast a rather small (but targeted and effective in some cases) net for intrepid researchers.   :P

Just another example of how deep the opposition to a nuclear-free future has its tentacles.     >:(


FULL DISCLOSURE: We DO give credit to the malevolent, devious bastard who set the trap.    >:(

Your day will come, as karma is a bitch and the sword of the righteous.  :P


Any takers on this one?

Thank you all for your time, consideration and participation.

(http://www.thelivingmoon.com/43ancients/04images/Bluebird/lg50aa500a.gif)

Quote from: thorfourwinds on June 01, 2014, 11:45:12 PM
The question that still is unanswered:

Why THIS particular file? (trench for water diversion at Fukushima, see above)

I don't think it's that particular file (the image), but that the image (and the words used to get a high place on the search engines) acts only as a way of getting people's computers infected with that malware.

If you look at the image it has a watermark of "czcx.en.alibaba.com", which probably means that it was taken from that site, but the page where the image is presented is on a different site, that "security-scan-jhvxcyrj.in" site.

QuoteIt would seem to cast a rather small (but targeted and effective in some cases) net for intrepid researchers.   :P

Just another example of how deep the opposition to a nuclear-free future has its tentacles.     >:(

Probably not, they surely use other key words to catch more victims, they just have to look at what key words people are searching for and adapt their sites to those words.

Edited to add that I decided to make a test. :)

I opened a virtual machine (with Windows 7) and did the same search you did (new water trench fukushima) and got the same image as the first result. The image appears as being on sirius-network.de (whatever that may be), and, on the first try, I could see that page, as you can see below.

(http://www.thelivingmoon.com/gallery/albums/userpics/10002/Policia_2.jpg)

As you can also see, all that text doesn't make any sense, it's probably there just to be found by the search engines.

A second try sent to the warning.
(sorry for the long image)
(http://www.thelivingmoon.com/gallery/albums/userpics/10002/Policia.jpg)

That page has some official images (and an image of the president, which is a stupid idea, as the president in Portugal doesn't have any connection with law enforcement, besides being ugly :P ) and is all written in Portuguese, but it's not a very good translation.

Also, for those that go to the extra work of looking at all those laws mentioned, article 161 is about "kidnapping", article 148 is about "negligent harm to physical integrity", article 215 is about "violent occupancy of a building" and article 301 doesn't exist (it was repealed in 2003).

Looking at the address bar on the browser I noticed that it shows a padlock but that's just another way of fooling the user, as the address does not start with "https". You can also see that the address is slightly different from the one you were sent to, "security-scan-gzvoekma.in" instead of "security-scan-jhvxbyrj.in", but both probably point to one of those hosting servers that are only interested in getting the money and are not worried about how their servers are used.

A whois search points to an Australian address, I don't know if it's really the address of the person that registered it, someone that register names for clients of a fake. A whois search for the address in your case points to an Italian address, so I suppose they are fake.

So, I don't really think it's a special case, your search words were just a way of getting to your computer. :)