Whilst using Facebook, followed a link to an external Top 10 “type” photo page and up came a message full screen.

This was a solid white screen to all extremities of the screen. No task bar was showing. Task manager would not work. It was modal.

There was a single line of words in the middle of the screen:

“Windows Locked! Pay WMZ”.

or

“Windows locked! Your ID is 0xe1c88c76. Send 250 WMZ to ZXXXXXXXXXX and follow instructions.”

windows locked

No amount of Googling this has turned anything up.

Fearing the worst, I had the machines removed from the network immediately.

This has symptoms of a Cryptolocker or Cryptowall type malware but may actually be broken or not fully activated. I have had people look over their files on the network shares and nothing yet appears to be damaged, altered or encrypted.

Looking in the eventlog of the machine and working backwards from when the power was removed I have located a scheduled task that has been injected into the system.

The path to the executable currently contains nothing. The Trend Micro and other security tools have not yet found anything.

I logged all files on the machine that were changed at about the infection time (including prefetch files) and reviewed the internet history and registry entries.

(I note that this file at the same time, looks suspicious \Windows\Installer\{E8863755-AD45-4ABE-87DF-3C4AD785A364}\msiexec.exe)

I have been able to work out that the file came down via Java.

This is a copy of the task that was created :

<?xml version=”1.0″ encoding=”UTF-16″?>
<Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
<RegistrationInfo />
<Triggers>
<LogonTrigger id=”Trigger1″>
<Enabled>true</Enabled>
<UserId>User</UserId>
</LogonTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context=”Author”>
<Exec>
<Command>C:\Users\User\AppData\Roaming\bOMPZQrb\tONjafFL\qnuFfTtR\rdNgawxcA.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id=”Author”>
<UserId>User</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

I have uploaded the .tmp files from he users Temporary folders into VirusTotal and nothing yet found.

I am also running an undelete tool over   C:\Users\User\AppData\Roaming\bOMPZQrb\tONjafFL\qnuFfTtR\

 

I will keep digging and report back. This does seem to be something new.