The Suceful Malware is not your typical everyday virus. In fact it is a brand creation that is unique in the fact of essentially being the first multi-vendor ATM targeted virus. Do not let the name fool you – Suceful is very dangerous and was named after a piece of code misspelled by the creators of the virus and upon anti-malware researchers stumbled upon.
Suceful targets the XFS Manager present in all ATM machines
The XFS Manager software component is responsible for communication between ATMs and vendors and thus it makes a lot of sense for Suceful to target it. It is, however, not the only target of the virus. Infected DLL files will be injected into the command sequence of the files that operate the basic functions of the ATM. From there Suceful obtains root access to all functions of the ATM and from that point basically anything is possible.
ATMs infected by this virus are even susceptible to reprogramming and control from the PIN pad – a fact that greatly helps the thieves that use Suceful. The malware is able to record all data related to inserted credit cards – credit and debit data, payment account details and IDs, PIN passwords as they are entered. It is even capable of suppressing the in-built alarms that come with every ATM. Suceful is also able to trigger the card-withholding mechanism and block the user’s credit card in the device. This technique is usually utilized by thieves, which operate locally. They are able to immediately obtain the card and use the data stolen by Suceful to drain it of money. Needless to say that is the most direct and dangerous approach taken by the criminals. A much smarter approach would be to store the data and drain it online from a safe location. Because of this remember that if a card has been through a device infected by Suceful the PIN should be immediately changed with the help of another ATM not infected by this virus.
Method of spreading
It is too early in the life cycle of the virus to exactly determine how it propagates, but all research so far indicate that it uses corrupted USBs. Suceful can lie dormant within a data storage unit for an extended amount of time and infect all other data storages that come in contact with the USB device. As soon as it connects to a computer hooked to an ATM machine the virus will trigger itself and infect the XFS Manager and thus also the ATM.
Suceful is very dangerous and should be dealt with quickly and efficiently. All people who have used their cards on devices infected by Suceful should be informed of the danger and they should immediately block their accounts and change the PIN from an un-infected device. All USB devices that have come in contact with an infected ATM or it’s survice computer need to be scanned for malware and/or formatted if possible.
SUCEFUL Malware Removal Instructions
Our first step here is a reboot in Safe Mode. If you already know how to do it, just skip this and proceed to Step 2. If you do not know how to do it, continue reading:
For Windows 98, XP, Millenium and 7 Users:
Restart your computer. To be sure you don’t miss the time when you need to press it, just spam F8 as soon as the PC starts booting. In the new menu, choose Safe Mode With Networking.
Proceed to Step 2.
For W. 8 and 8.1 Users:
Click the Start button ,then Control Panel —> System and Security —> Administrative Tools —> System Configuration.
Then check the Safe Boot option and click OK. Click Restart in the new pop-up.
Proceed to Step 2.
For Windows 10 Users:
- Open the Start menu.
- Click the power button icon in the right corner of the new Start menu to show the power options menu.
- Press and hold down the SHIFT key on the keyboard and click the Restart option while still holding down the SHIFT key.
Windows 10 will perform the reboot. Next do the following:
Click the Troubleshoot icon, then Advanced options —> Startup Settings. Click Restart.
After the reboot click on Enter Safe Mode With Networking (Fifth Option).
Continue with Step 2.
Hold the Windows Key and R and copy + paste the following, then click OK:
A .txt file will open – don’t touch anything there. If you are hacked and someone has access to your PC, there will be a bunch of other IPs connected to you at the bottom. This is what a hosts file looks like:
If there are a bunch of strange IPs connecting to you below “Localhost” you may be hacked, and it’s best to ask us in the comments for directions.
Now hold the windows Key and R again but type %temp% in the field and hit enter. Delete everything in that directory.
Right click on each of the malware processes separately and select Open File Location. Also, End the process after you open the folder. Just to make sure we don’t delete any programs you mistakenly took for a malware, copy the folders somewhere, then delete the directories you were sent to. There’s a good chance CoreBot is hiding somewhere in here.
A BIG WARNING HERE! READ THIS BEFORE PROCEEDING!
This is perhaps the most important and difficult step, so be extremely careful. Doing this can damage your PC significantly if you make a big mistake. If you are not feeling comfortable, we advise you to download a professional SUCEFUL Malware remover. Additionally, accounts connected to your credit cards, or important information, may be exposed to the virus.
Take a look at the following things:
Type msconfig in the search field and hit enter: you will be transported to a new window.
Go in the Startup tab and Uncheck anything that has “Unknown” as Manufacturer.
Type Regedit in the windows search field and press Enter.
Once inside, press CTRL and F together and type the malware’s Name. Right click and delete any entries you find with a similar name. If you can’t find them this way, look in these directories, and delete the registries manually:
- HKEY_CURRENT_USER—-Software—–Random numbers
HKEY_CURRENT_USER—-Software—Microsoft—Internet Explorer—-Main—- Random
If these things fail to help you find SUCEFUL Malware you need to resort to a professional scanner – obviously this is a malware that was created to steal your credentials and credit cards – meaning the people who created it spent a lot of resources to make it as dangerous as possible.