The W32/Seftad RansomWare has been spreading for a few days now, locking infected computers and trying to extort money for a recovery password. The infection is easily recognized by the text message below, which is displayed when the computer starts up, or rather fails to start.

Your PC is blocked.
All the hard drives were encrypted.
Browse www.safe-data.ru to get an access to your system and files.
Any attempt to restore the drives using other way will
lead to inevitable data loss !!!
Please remember Your ID: 773923,
with its help your sign-on password will be generated.
Enter password:

But they lie, the hard disk is not encrypted, only a few sectors have been changed. This table shows the changes to the disk sectors. Also shown are the memory addresses where they are loaded to memory by the malware.

Infected Drive   Disk Address   Memory Address   Sector Contents
  Sector 1         0x000          0x7C00           Malware boot sector
  Sector 2         0x200          0x7C00           Malware code
  Sector 3         0x400          0x7E00           Text strings & CRC
  Sector 4         0x600          -                -
  Sector 5         0x800          0x7E00           Original boot sector

Hard drive sector 1 normally contains the Master Boot Record (MBR), with the partition table and the boot code needed to start the operating system. It has been copied to sector 5 with two bytes changed. Sector 1 now contains the malware boot code, with no partition table.

When the computer starts, the malware boot code from sector 1 is loaded and executed. It reads sectors 2 and 3 into memory at address 0000:7c00. The malware then checks whether a certain ID number is present at the start of sector 2 and the end of sector 3. The ID number check code can be used to confirm the identity of the malware boot sector.

1000:002b   cmp   dword ptr [bx+02h], 636d6a68h ; code start marker
1000:0033   jnz   loc_0000004b                  ; marker not found
1000:0035   add   bx, 3fch                      ; location of code end marker
1000:0039   cmp   dword ptr [bx], 636d6a68h     ; code end marker
1000:0040   jnz   loc_0000004b                  ; marker not found

(The addresses in the listings are disk based addresses, conversion to memory addresses is shown where necessary.)

At this point the code loaded from sector 2 is executed, and the routine that reads in the password starts. Up to 16 characters can be keyed in, and when the Enter key is pressed processing begins. The first step is to pad the password with spaces so that the length is always 16 characters.

1000:027d   mov   al, 20h                       ; " " text space
1000:027f   cmp   di, 10h                       ; if di <16 carry set
1000:0282   jnc   loc_00000289                  ; if we have 16 chars jump
1000:0284   mov   [bx+di], al                   ; add a space " "
1000:0286   inc   di                            ; increase char count
1000:0287   jmp   27fh                          ; check again if 16 chars

Next each of the 16 password characters is sent to a CRC generator. The resulting CRC will be used to check the whether the password is correct.

1000:0289  mov  cl, 10h                         ; cl = 16, chars in password
1000:028b  xor  dx, dx                          ; dx = 0x00, CRC goes here
1000:028d  mov  si, 7e7ah                       ; password buffer (disk 047a)
1000:0290  cld                                  ; clear direction flag
1000:0291  lodsb                                ; load pwd char to al, si++
1000:0292  call loc_00000368                    ; call the CRC16 generator
1000:0295  dec  cl                              ; cl--  update character count
1000:0297  jnz  291h                            ; loop to load next character

There are many different CRC16 alogorithms. The one used is the xmodem version, not the most common or the best, but it will work for this task. The core of the CRC generator is shown below.

1000:036a  mov  ah, al                          ; move password char to ah
1000:036c  xor  al, al                          ; zero al
1000:036e  xor  dx, ax                          ; dx=crc, 0x00 on first pass
1000:0370  mov  cl, 08h                         ; set cl for 8 bits
1000:0372  shl  dx, 1h                          ; shift left 1 bit
1000:0374  jnc  37ah                            ; if top bit was 0 jump
1000:0376  xor  dx, 1021h                       ; CRC polynomial = 0x1021
1000:037a  dec  cl                              ; cl--
1000:037c  jnz  372h                            ; loop until cl=0

Once the password CRC has been calculated, it is checked against the reference CRC at memory location 0000:7ffa, where it was loaded from disk sector 3.

1000:0299  cmp  dx, [7ffah]                     ; password CRC loc (crc=0x24e0)
1000:029d  jz  loc_000002b2                     ; if equal

The CRC value 0x24E0, located at memory address 0000:7ffa, can be found at at disk location 0x7ffa – 0x7c00 + 0×200 = 0x05fa, shown in the hex dump below. Any password with this CRC will work.

Disk:05F0  Mem:7FFA   00 00 00 00 00 00 00 00  00 00 E0 24 68 6A 6D 63  ..........à$hjmc

When an incorrect password is entered, the words “Wrong password” are displayed, with “Enter password:” appearing again below. After three tries the computer reboots and the process starts again. Rebooting here is probably just a simple way to clear the display.

When a correct password has been entered, the process of restoring the computer begins. First the original boot sector is loaded into memory, from disk sector 5.

1000:02b2  mov  bx, 7e00h                       ; buffer
1000:02b5  mov  cx, 05h                         ; track=0 sector=5
1000:02b8  mov  dx, 80h                         ; head=0 drive=hard disk
1000:02bb  mov  ax, 201h                        ; read disk sectors, 1 sector
1000:02be  int  13h                             ; read disk
1000:02c0  jnc  loc_000002ca                    ; jump if read was ok

When the original boot sector was saved, the last two bytes were changed to “be af”. These are now checked, and if they are wrong the message “Data corrupted” is displayed.

Disk:09F0  Mem:7FF0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 BE AF  ..............¾¯

1000:02ca  mov  di, 7ffeh                       ; (disk 09fe)
1000:02cd  cmp  word ptr [di], 0afbeh           ; check value
1000:02d1  jz  loc_000002db                     ; if ok jump

If the bytes are as expected, they are changed back to their original value, “55 aa”, which is the Boot Record Signature. If the BIOS does not see these bytes it will not boot.

1000:02db  mov  dx, 0aa55h                      ; boot record signature
1000:02de  mov  word ptr [di], dx               ; write to mem, di=7ffe

The repaired boot sector is now written to sector 1, so that the computer becomes bootable again.

1000:02e0  mov  cx, 01h                         ; write to sector 1
1000:02e3  mov  dx, 80h                         ; head=0 drive=hard disk
1000:02e6  mov  ax, 301h                        ; write disk sectors, 1 sector
1000:02e9  int  13h                             ; write to disk
1000:02eb  jnc  loc_000002f5                    ; jump if ok, to "clean up disk"

Finally a buffer is filled with nulls and written to disk sectors 2, 3 and 5, so that all traces of the infection are removed, and the computer is rebooted. Of course if any of these sectors was being used by some system level software, like a disk or boot utility, whatever data they contained is lost and the password will not restore the computer to its original state.

The best way to cure this infection is to use a suitable disk repair utility. If this fails then hopefully the information presented here will help with manual repair. In any case it is important to remember that even when the computer boots successfully, it will still be infected with the malware that started this, and needs to be cleaned.

Additional information about this malware can be found in Fortinet researcher Patrick Yu’s All your drives are belong to us.

Two of Fortinet’s FortiGuard Labs researchers will be on hand at next week’s RSA Conference to present their research in the Fortinet booth theater (#2225). The presentations focus on ransomware and industrial spying, two hot topic areas that are on the minds of security professionals at enterprises today. Here is a bit of information:

All Your Data Are Belong To Us
Ransomware comes in many shapes and forms, with the most recent variation using malware masquerading as antivirus protection. The goal of an attacker is simple: cripple, lock down and encrypt files/applications, then offer a service to unlock the data. Ransomware has already begun to leave a destructive trail in 2010. Watch as Derek Manky, cyber security and threat researcher, discusses and demonstrates these threats live in the theater.

The Art of Industrial Spying
Every organization and individual has more and more confidential or regulated data to manage, with growing amounts of data being moved to digital storage and transferred digitally. This has wedged the door open to data theft and/or manipulation for financial gain, while bypassing physical security measures. Steve Fossen, senior manager of security research and development, will discuss and demonstrate how enterprises can protect their data from this kind of intellectual property theft so that it doesn’t end up in the wrong hands – or on the open market.

Presentations will take place every 30 minutes during show floor hours. Please stop by the Fortinet booth (#2225) for the schedule and for information on these presentations.