The PooleZoor Virus is a ransomware strain of the Hidden Tear family targeting English-speaking users on a global scale. The captured samples indicate an initial release which might be updated in the future with additional code. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .poolezoor extensions and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by PooleZoor Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss PooleZoor Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
PooleZoor Virus – Distribution Ways
The PooleZoor virus as a recently discovered threat has been noticed in a limited test run. The low number of captured samples do not give out details about the main infection methods. As such we presume that the criminals are going to utilize the most common ones.
A common tactic is to rely on phishing email messages that are sent in bulk to the victims. The criminals utilize elements taken from well-known companies and services that coerce the victims into interacting with a malicious element. The criminals can either attach the files directly or hyperlink a malware file in the body contents.
Using a similar approach the hackers can also construct fake download portals that are reminiscent of popular Internet pages. In combination with the emails they are a key instrument in spreading malicious payload carriers. One of the popular forms is the creation of virus-infected documents — usually in the form of a macro-infested presentation, database, rich text file or spreadsheets. When they are opened by the victims a prompt will appear asking the users to enable the scripts. If this is done so then the infections will begin.
The other mechanism used by criminals is the release of infected application installers. They are made by taking the legitimate installers of popular software from their official vendor download sites and modifying them with the associated PooleZoor virus.
Popular places where infected payload carriers can also be found include file sharing networks such as BitTorrent where pirate content ins usually found.
In certain cases where a large-scale deployment is needed the criminals behind the PooleZoor virus can utilize browser hijackers. They represent malicious plugins made for the most popular web browsers. Usually they are spread on the relevant repositories with an alluring description and fake user reviews and developer credentials. Once they are installed they follow a prescribed behavior pattern by changing the default settings redirecting to a hacker-controlled page. After this part of the infection process is complete the virus will be downloaded and executed on the victim host.
PooleZoor Virus – In-Depth Analysis
As soon as the PooleZoor virus infection begins the main module will start to run its prescribed behavior pattern. The security investigation reveals that it is based on the Hidden Tear ransowmare family. As such its behavior can be fine tuned according to each target campaign.
We anticipate that the large-scale attack campaigns will follow a predesigned behavior pattern that should be similar to previous Hidden Tear based viruses. At the onset of infection typically a data harvesting. It is used to retrieve information that can be grouped into two main categories:
- Personal Information — This type of data can reveal the victim’s identity by extracting strings related to the user’s name, address, phone number, location, passwords and etc.
- Anonymous Metrics — Information of this category is used to optimize the campaigns by harvesting metrics that are useful to the hackers. The report includes a report on the installed hardware reports and certain user-set operating system settings.
The collected data can then be fed to another component called stealth protection. It is used to hide the virus instance from any security software that can interfere with its correct execution. The list of target applications includes anti-virus applications, sandbox environments or virtual machine hosts.
When the PooleZoor virus has created the necessary environment where system changes can occur it can launch several processes and components that can cause a series of modifications. Some of them can include the following:
- Windows Registry Changes — The PooleZoor virus can modify the Registry entries belonging both to the operating system and user-installed applications. This can lead to severe performance issues or the inability to launch certain functions of the applications.
- Persistent Installation — This modification can manipulate the system into setting up the PooleZoor virus as a persistent threat. This will automatically launch the threat once the computer boots, at the same time modifying the boot settings so that the users would have no way of disabling it. It can also prevent access to the boot recovery menu which is used during manual recovery.
- Data Removal — The virus engine can remove the Shadow Volume Copies and System Restore Data which can make it impossible to effectively restore the compromised files. In such cases the victims can resort to the use of a professional-grade recovery application, refer to our instructions for more information.
- Trojan Module — Advanced virus infections can carry a Trojan module which sets up an encrypted connection with a hacker-controlled server. It allows the criminal operators to remote control the infected machines, as well as spy on the users. Such configurations allows them to easily retrieve any stored data at any given time.
We remind our users that as a part of the Hidden Tear ransomware family the behavior pattern can be changed according to each campaign or individual host. The criminals can modify (add or remove) malicious components at will.
PooleZoor Virus — Encryption
As other Hidden Tear based ransomware the PooleZoor virus uses a built-in list of target file type extensions. It is made part of the main module and it can be modified according to the indiviudal hosts as well. A sample list can include the following data:
The affected data will be processed by a strong cipher and renamed with the .poolezoor extension. The accompanying ransomware note is created in a file called READ_me_for_encrypted_Files.txt which reads the following:
Files has been encrypted with PooleZoor
Ba pardakht 10,000,000 Riyal File hay khod ra bazgardanid
In Pool sarf omre kheyriye khahad shod
Remove PooleZoor Ransomware Virus and Restore .poolezoor Files
If your computer got infected with the PooleZoor ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.