About: Spora   Sponge Permalink

An Entity of Type : dbkwik:resource/uazuHg3wEfJ5Uid5iYR3Jw==, within Data Space : 134.155.108.49:8890 associated with source dataset(s)

The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," a

AttributesValues
rdf:type
rdfs:label
  • Spora
rdfs:comment
  • The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," a
dcterms:subject
dbkwik:malware/pro...iPageUsesTemplate
Date
  • 2017(xsd:integer)
Origin
  • Russia
Platform
  • Microsoft Windows
Name
  • Spora
Type
  • Ransomware
filetype
  • .HTA
Creator
  • Unknown
abstract
  • The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," and "windows." Apparently this virus will even work even if offline. When encryption is finished, it will run a CLI command that deletes shadow volume copies, disables Windows Startup Repair, and changes BootStatusPolicy. It will then add a ransom note and the .KEY file to the desktop and other folders. The website itself is on a Tor gateway that is not publicly advertised. When accessing the site, the infection ID must be put in. When putting in the ID, it shows various payment options. Payments, however, can only be done using Bitcoins.
Alternative Linked Data Views: ODE     Raw Data in: CXML | CSV | RDF ( N-Triples N3/Turtle JSON XML ) | OData ( Atom JSON ) | Microdata ( JSON HTML) | JSON-LD    About   
This material is Open Knowledge   W3C Semantic Web Technology [RDF Data] Valid XHTML + RDFa
OpenLink Virtuoso version 07.20.3217, on Linux (x86_64-pc-linux-gnu), Standard Edition
Data on this page belongs to its respective rights holders.
Virtuoso Faceted Browser Copyright © 2009-2012 OpenLink Software