The Horrifying Annabelle Virus
Annabelle, remember that terrifying doll, and now here comes a virus associated with this name called “Annabelle Virus”. This is the outcome of a very talented hacker who just wants to show his skills to the outer world. The virus has nothing to do with hacking your system or putting you on ransom.
How does it work?
The interesting thing about this virus is that it will shut down your computer without you doing anything to regain control. According to security researcher Bart, “It can terminate security programs, disable Windows Defender, turn off your firewall, encrypt your files and try to spread through your USB ports. The cherry on top is that it also overwrites the master boot record of the infected computer with a very silly bootloader.
The MalwareHunterTeam managed to extract the source code of the virus to see how the virus starts off and how it acts.
They discovered that after being installed, Annabelle virus will start automatically when you open Windows. It will then terminate a series of programs such as Task Manager, Chrome, Msconfig, Process Hacker and so on. This will be followed by modifying Image File Execution thus preventing you from opening the previously named programs like Notepad, Internet Explorer, Opera etc.
It will then spread itself using autorun.inf files. This will not work on latest Microsoft versions as it does not allow files to autoplay. When it has finally taken back all the control you had over every program on your computer, it will encrypt the computer with a static key. Here comes the spooky part. While encrypting it will change the extension of the file to .ANNABELLE. This is truly a scene that came out of an IT enthusiast’s nightmare.
When you try to reboot your computer a welcome screen appears that credits the creator of this virus, named “iCoreXo812” and a Discord name through which he can be contacted. The master boot screen is replaced with one that shows a “prop” screen when you load it.
How to get rid of this virus?
Since the creator is not as brutal as the virus, and he is not interested in your money, and maybe because of that, he has not made it hard to remove the virus from your hard disk. Since it is a static key based ransomware, it can be easily decrypted. Just replace the MBR, run Rkill in safe mode and wipe off the registry entries, use some decryptor and with some security scan, your computer is back in form to be used.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.