Removing SMS viruses
Recently, viruses that require sending SMS have become a very popular and profitable type of money withdrawal from cybercriminals. As a result of this, a lot of varieties of SMS viruses have appeared. There are not only viruses that require SMS for viewing porn sites, but also disguise for installing and updating programs, locking the system due to unlicensed use, and so on and so forth. The whole variety of varieties in the form of screenshots can be observed here, for example.
ransomware sms virus
Another problem is that an infected user, going to a friend to search the Internet for a solution to his problem, stumbles across the network to describe particular cases of his misfortune. And given that the development and dissemination of this focus continues, there are more and more options for these particular solutions every day.
Therefore, in this article I will not describe an example of a solution to one type of SMS virus, but I will describe the principle of operation and the main characteristics of the entire group. But first, I’ll talk about some reckless steps that users take in similar situations.
Pay – note that when paying, even if everything goes well, all the malicious software will remain on your computer. Who knows how it is written, it can be re-triggered in a week after payment. In addition, the cost of SMS upon payment is usually 50-100% more than the declared.
Find an unlock code – there are code generators on the websites of developers of leading anti-virus solutions (Kaspersky, Doctor Web and others). Again, after unlocking, you can calm down, and the virus software has not gone away, the information window just disappeared.
Reinstall the system – and after a couple of days again catch a similar virus. So you can reinstall around the clock. This is not an option. You must be able to solve the problem. And reinstalling is the same as fighting domestic rodents, burning a house. Illogical, isn’t it?
Now more about SMS viruses. What, in fact, have to deal with? The reason you constantly see a virus message about sending SMS is that the graphic shell of the system is broken. Everything that you see (icons, folders, etc.) is drawn by a special system program. On windows, this is the explorer.exe system process. And SMS virus is a debugger of this process.
The database of the system (where everything is written that relates to the operation of the system and programs) is the windows registry. There is a Shell parameter in the registry. It says what program is responsible for rendering the graphical environment. After infection, this entry is most often edited. SMS virus prescribes itself in Shell instead of explorer.exe.
Modified Shell Registry Entry
Click on the image to see the full screenshot and pay attention to the location of the debugger (control program) and its name.
The debugger itself (the body of the SMS virus) is copied to various places, but most often to the system32 or Temp system folders, as well as temporary folders in user profiles. User folders are located at:
C: / Documents and Settings / User
Paths to the above folders:
C: / WINDOWS / system32
C: / WINDOWS / Temp
User / Local Settings / Temp
User / Local Settings / Application Data / Temp
In some cases, SMS virus installs specific software on the computer, which is displayed in the list of installed programs and is located in the Program Files folder. It is also registered in autorun and starts with the system. Functions, in addition to broadcasting a banner, can be different from blocking a call to the task manager to blocking input devices. The startup folder is located in the user folder at:
User / Main menu / Programs / Startup
Virus software in the system
We determined the place of residence and principle of operation of the SMS virus. Now let’s figure out how to deal with it. Since the virus blocks the ability to work in the system, you must remove it from the outside. That is, either go in from a Live-CD, or carry a disk to a friend, connect to a computer and look for malware. Any Live-CD is suitable if you hear this word for the first time, I advise you to normally Russified and not demanding on the resources of Lubuntu Live-CD.
After gaining access to the hard disk, you need to clean all the temporary folders of the infected system and the startup folder. If the level of competency allows, you can also examine the system32 folder for strange files, for example, dll libraries with names like
or twin exe files like fake Adadas (Adidas)
userinit.exe – system process
usrinit.exe – disguised malware
Browse the Program Files folder for a folder with a name that matches the name of the program specified in the banner (like Digital Access, if there is a mention). Then try loading. Most often, after cleaning, the banner disappears, but the graphical environment disappears along with it, since the program controlling the shell (debugger) is already absent, and the registry entry is still there. Now you need to fix the registry. Since the desktop is empty