Alexander's Blog

Sharing knowledge with the global IT community since November 1, 2004

Could Your Computer Be Infected by Blackshades?

/
/
ad-mania

I recently saw Miss Teen USA Cassidy Wolf’s interview on CNN. She was among the half million people around the world who fell victim to the Blackshades malware, also known as “Creepware.” This malware has been selling for as little as $40. Among other things, it can be used to hijack computers remotely, turn on computer Webcams, access hard drives and capture keystrokes to steal passwords without your knowledge. You can read about her ordeal on CNN’s Web site. The hacker used her laptop Webcam to take her pictures and then tried to blackmail her. Here’s her interview on CNN.

CreepwareVictim

FBI has posted the following information on their Web site. Anyone who uses a computer should read this but if you own a laptop with Webcam then you should definitely read this.

Could Your Computer Be Infected by Blackshades?

Here’s a list of possible indicators that your computer may be infected with Blackshades or similar remote access tool malware:

  • Mouse cursor moves erratically with no input from user;
  • Web camera light (if equipped) unexpectedly turns on when web camera is not in use;
  • Monitor turns off while in use;
  • Usernames and passwords for online accounts have been compromised;
  • Unauthorized logins to bank accounts or unauthorized money transfers;
  • Text-based chat window appears on your computer’s desktop unexpectedly;
  • Computer files become encrypted and ransom demand is made to unlock files.

Blackshades malware affects Microsoft Windows-based operating systems. If you believe you or someone you know may have a computer that is infected with this malware, search the computer’s hard drive for the following files that are known to be present on Blackshade-infected computers:

  • dos_sock.bss
  • nir_cmd.bss
  • pws_cdk.bss
  • pws_chro.bss
  • pws_ff.bss
  • pws_mail.bss
  • pws_mess.bss

To perform the above check, click the Start menu and type each file name in the search field. If the search yields positive matches for one or more of these files, the computer may be infected with Blackshades.

In addition to the above files being added to the computer’s hard drive, Blackshades also makes modifications to the Windows registry. The exact location may vary depending on the verson of the Microsoft Windows you’re using, but the following registry subkey is added:

  • Computer\HKEY_CURRENT_USER\Software\VBandVBA Program Settings\SrvID\ID\[string of letters and numbers]

To perform a check for this registry modification, take the following steps:

  1. Click the Start menu.
  2. Type “regedit” in the search field.
  3. Execute the Registry Editor (regedit.exe). If prompted, select “Yes” to allow the program to make changes to the computer.
  4. Select “Edit” from the window toolbar.
  5. Select “Find” from the Edit menu.
  6. Type “SrvID” in the Find field.

Anyone who performs the above checks and gets positive results is encouraged to submit a complaint to the FBI’s Internet Crime Complaint Center. Please include the term “Blackshades” in the incident description section of the complaint.

And for assistance on removing Blackshades, please contact your Internet service provider, your antivirus software company, or another computer security professional.”

  • Facebook
  • Twitter
  • Linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar