Virus Characteristics
--------------------Updated on August 15 on 2012 ---------------------------------
"Ransom-C " is a Trojan that gains control of the affected computer by locking the screen and preventing the user from accessing the desktop as well as Task manager.
Upon execution the system gets locked with the below screen and does not allow the user to login even in safe mode
Upon execution, it tries to copy itself to the following location
- %Appdata%\9FB8BD\SY8E4U.exe
- %Appdata%\9FB8BD\SY8E4U.exe.lnk
Upon execution, it tries to below IP address through remote port 80
The below are the registry values has been modified to the system
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load":””
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load":”%Appdata%\9FB8BD\SY8E4U~1.LNK”
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\DISABLETASKMGR:0
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\DISABLETASKMGR:1
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\DISABLEREGISTRYTOOLS:0
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\DISABLEREGISTRYTOOLS:1
The above registry entries ensures that it disable the task manager and regedit
-------------------------------------------------------------------------------------------------------------
Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data.
This trojan can often arrive in a spoofed e-mail notifying the user of a "important events" or "great deals" such as the following:
This e-mail spoofs as the mail administrator notifying the user of a "system upgrade", requesting the user to open the attachmen to prevent the account from being terminated.
More recently, websites were discovered to be hosting Exploit-MS06-014 that installs Ransom-C without a need for user interaction on vulnerable web browsers. They include legitimate financial news, medical websites, etc. that were believed to have been penetrated by the trojan author. When the exploit is successful, it follows to download and install a abc.exe.pif executable containing Ransom-C.
In some cases, a.RAR file which resembles the file attachments used in the spoofed e-mails are placed on a spoofed hyperlink on the penetrated website. For example, the hyperlink could be displaying a description of "Directions to the XYZ Hospital" but lets the user download a .RAR containing the Ransom-C trojan:
Upon execution, Ransom-C makes a copy of itself in the Start-Programs->Startup menu as svchost.exe as well as X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe.
(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)
It then displays the following pop-up window:
This pop-up window claims that unlicensed software was detected and have been moved to a restricted folder. To unlock these files, the user must send an e-mail to webmas[hidden]@yahoo.com.cn to purchase the "licensed" software.
NOTE: Our analysis shows that the files are not moved but effectively deleted from the infected computer including mounted drives on external media (e.g. memory cards, hard drives). This implies a reliable method to fully recover the files would be unlikely.
Ransom-C drops a text file on the desktop reiterating its claims and reboots the system each time the pop-up window is closed.
