Most of us have been there: you find yourself with a slow computer. And it gets worse. Files start locking up and freezing; programs won’t launch. Error messages abound. It’s clearly a virus, will take some time to clean up, and clearly interfering with your plans to get things done. And perhaps you find yourself wondering: “Why? Why ME?”
The malware just discovered by Rich Matteo, a researcher at Malwarebytes, has an answer: “Because f*** you! That's why.”
That tagline is the calling card for a new virus that is making the rounds, erasing files and generally being ill-tempered.
“Once a host PC is infected, the malware enumerates the victim and looks for files of a certain type, replacing their contents with ‘Because f*** you! That's why,’” said Joshua Cannell, malware intelligence analyst at Malwarebytes, in an analysis obtained by Infosecurity. “Naturally, this can cause many programs to cease functioning, one of which was my Malcode Analyst Pack. This one produced some rather comical errors post infection.”
A static analysis of the file shows it’s a .NET Assembly that’s been obfuscated with SmartAssembly v6, a commercial obfuscator sold by Redgate. “As mentioned before in my blogs, sometimes these products intended to be used by software developers to protect their intellectual property can also be used by malware authors to hide their evil deeds,” Cannell said.
Cannell performed a forensic analysis on the malware by unpacking the .NET assembly with de4dot – a .NET assembly de-obfuscator. He found that the code installs a service for persistence. The malware author also took the time to write out a service description to make it sound somewhat legitimate, presumably to fool non-tech-savvy users.
The purpose of the code is merely to wreak havoc and prompt the “why ME” response from the victim, meaning that the author is likely not a professional cyber-criminal, but rather simply a trickster with too much time on his or her hands. It targets an array of files to erase, including Microsoft Word, PowerPoint and Excel, JPEG image files and, unfortunately, setup.exe. When a user tried to bring any of the compromised files up, they will get a message that it’s an invalid path or entry, followed by, you guessed it, “F*** you, that’s why.”
“It’s not as common to see malware that operates in this fashion, almost seeming to play pranks on the user,” Cannell said. “Most of today’s modern malware tries to remain stealthy in order to avoid detection, unlike in this case where it starts trashing your computer, visibly disrupting your files and just causing headaches.”
Once the malware is detected post-infection, the only way to reverse the damage done to the files is to recover them from backup or system restore functions in Windows.
“Backups are a great thing to have in case something goes wrong, like an equipment failure or in this case, a malware infection,” Cannell said. “You can also try recovery options available in Windows. If you’re a Windows 8 user and you have File History enabled, that should do the trick. If you’re not a Windows 8 user or you’re not using File History, you can always try the traditional approach using System Restore after the malware has been removed.”