A new malware called StalinLocker or StalinScreamer was discovered by MalwareHunterTeam, which gives you 10 minutes to enter a password otherwise it tries to delete the contents of your hard drives.
The new malware appears to be in its early stages and is expected to be further developed by its makers. When activated it will display one screen saver οθόνη που δείχνει τον Στάλιν, ενώ ταυτόχρονα θα παίζει τον ύμνο της ΕΣΣΔ. Επίσης στην οθόνη εμφανίζεται μία αντίστροφη measurement which counts the remaining time you have until you enter a correct code. If this code is not provided then the malware attempts to erase all of your system's hard drives.
Specifically, when activated StalinLocker will perform the following actions:
1. Extract the file sound “USSR_Anthem.mp3” in the %UserProfile%\AppData\Local folder and plays it. It is a hymn, the same as the one heard in this video on YouTube, but with much worse quality.
2. Copy% UserProfile% \ AppData \ Local \ stalin.exe and create an autorun file called "Stalin" which starts the screenlocker / wiper when the user logs on to the computer.
3. Creates the file% UserProfile% \ AppData \ Local \ fl.dat which runs the remaining time in seconds divided by 3. So every time you start the program, the countdown is significantly smaller.
4. Tries to end the processes that are already running.
5. Terminates Explorer.exe and taskmgr.exe.
6. Tries to create a scheduled task called "Driver Update" to start Stalin.exe. This part of the code has errors.
StalinLocker will then display the lock screen on the photo at the beginning of this article, which contains a 10-minute countdown that counts down the time until your files are deleted unless you enter a password. According to MalwareHunterTeam, this code is essentially the number you get if you subtract the current one date εκτέλεσης του προγράμματος μέχρι την ημερομηνία 1922-12-30. Εάν ο χρήστης εισαγάγει τον σωστό κωδικό, το wiper θα διαγράψει το autorun.
On the other hand, if the code is not entered before the countdown reaches zero, the screenlocker will try to delete all the files for each letter of the units on the computer. This is achieved by switching all drive letters from A to Z and deleting those that are accessible, as shown below.
This malware appears to be in progress, but fortunately, most security vendors have detected it and updated their respective programs.