Virus Profile: Ransom-M

Threat Search

Virus Profile information details
Risk Assessment:	Home Low-Profiled \| Corporate Low-Profiled
Date Discovered:	10/28/2009
Date Added:	10/28/2009
Origin:	N/A
Length:	N/A
Type:	Trojan
Subtype:	Dropper
DAT Required:	5786
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

-- Update October 28, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/security/?p=4748

Ransom-M is a Trojan on execution encrypts all the files of these formats i.e .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc.The user has to get the decryption key inorder to recover the files by paying a specified amount to the attacker.

Indication of Infection

Presence of the above mentioned characteristics.
Presence of the above mentioned files

Methods of Infection

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Aliases

Trj/Ransom.K(Panda), Troj/Gpcode-E(Sophos), Trojan-Ransom.Win32.Xorist.a(Kaspersky), Trojan:W32/Randsom.G(F-Secure)

View Virus Characteristics

Virus Characteristics

Upon execution Trojan Ransom-M changes the wallpaper of the desktop with the following wallpaper as shown below:

The wallpaper contains a message informing the user that the system is infected with Lorobot and to recover the files the user has to email to the specified email address mentioned in the wallpaper and pay 100$ to the attacker inorder to obtain the decryption file.

Trojan then encrypts all the files in the user's system which are of the following file formats .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc .After modifying all the files a text pop up appears as shown below:

The Trojan adds the following files:

C:\xxxx.txt
C:\WINDOWS\CryptLogFile.txt
C:\Documents and Settings\<USERNAME>\Local Settings\Temp\wallpaper.bmp

CryptLogFile.txt contains the list of modified files in the system by the Trojan as below:

C:\Adobe Reader 9 Installer\Folder.jpg
C:\Tools\API Monitor.rar
C:\Tools\Dede\DSF\DeDe_SDK.rtf
C:\WINDOWS\SHELLNEW\EXCEL12.XLSX
C:\Program Files\Windows Media Player\npdrmv2.zip
C:\Documents and Settings\All Users\Application Data\SiteAdvisor\guid.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Internet Explorer\brndlog.txt
C:\Documents and Settings\<USERNAME>\Cookies\<USERNAME>@atdmt[1].txt
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\<USERNAME>\Templates\winword.doc
C:\Documents and Settings\<USERNAME>\Templates\excel.xls

Back To Overview View Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations