Anti-virus company Malwarebytes has stumbled upon a piece of malware that erases files and cusses at its victims.
Rich Matteo, a Malwarebytes researcher, says in the company's blog: "Once a host PC is infected, the malware enumerates the victim and looks for files of a certain type, replacing their contents with 'Because f*** you! That's why'."
The malware targets a variety of files to erase, including Microsoft Word, PowerPoint and Excel, JPEG image files and setup.exe. Users attempting to open any of the compromised files will be told that it is an invalid path or entry, and are then greeted with the message above.
How it works
Matteo said a quick static analysis of the file revealed it to be a ".NET assembly that's been obfuscated with SmartAssembly v6, a commercial obfuscator sold by Redgate".
He says although these products are designed for use by software developers to protect their trade secrets, they can be used by malware writers to cloak their wrongdoings.
Malwarebytes conducted a forensic analysis on the malware by unpacking the .NET assembly with de4dot - a .NET assembly de-obfuscator. The company discovered that the code installs a service for persistence. In addition, the malware writer wrote a service description in an attempt to fool less tech-savvy users, by making it seem plausible.
Unusual behaviour
Matteo said it is fairly uncommon to see malware behave this way - almost seeming to play pranks on the user.
Today's malicious software tries to fly under the radar to avoid detection - unlike this instance, where it openly starts trashing the machine, disrupting files and wreaking havoc.
"This sort of malware is usually not the by-product of a professional cyber criminal, but rather people with too much time on their hands," he concludes.
Share
