For Consumer

Virus Profile: Ransom-O

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/2/2009
Date Added: 12/2/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 7495
Removal Instructions
   
 
 
   

Description

----------------------Updated on March 03, 2014 ---------------

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

--------------------------------------------------------
Ransom-O is a trojan that on execution tries to block the internet access on the user's system.The user has to pay with an sms message for the attackers' software to re-enable internet access.

Indication of Infection

Presence of above mentioned files and registry keys

Presence unexpected network connection to the above mentioned IP Address.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, spam etc.

Aliases

Mal/Generic-A (Sophos), RansomSMS AH,Trojan (CA), TR/Ransom.SMSer.QM (Avira), TROJ_RANSOM.GL (Trend), Trojan-Ransom (Ikarus), Trojan-Ransom.Win32.SMSer.qm (Kaspersky), Trojan-Ransom.Win32.SMSer.qm (VBA32), Trojan.SMSer.OW (VirusBuster), Trojan.Win32.Generic.51EFC4AF (Rising), Trojan.Winlock.412 (DrWeb), Trojan/SMSer.gr (Jiangmin), Trojan:Win32/Malat (Microsoft), TrojanRansom.SMSer.qm (Cat), W32/Malware.JQUS (Norman), W32/SMSer.QM!tr (Fortinet), W32/Trojan2.JYIG (Frisk), Win-Trojan/Smser.96256 (Ahnlab), Win32/LockScreen.CS (Eset), Win32:Malware-gen (Alwil)
   

Virus Characteristics

-----------------Updated on August 9th 2014--------------------

Aliases -

  • Microsoft      - Trojan:Win32/Peaac.gen!A [generic]
  • Symantec    - Trojan.Cryptolocker.F
  • Kaspersky   - Trojan.Win32.Inject.ojvt
  • Ikarus          -  Trojan.Win32.Injector
  • Nod32         -  Win32/Injector.BJFX trojan (variant)

Characteristics -

Ransom-O” “is the generic detection for the Trojan which belongs to Ransom Cryptolocker. Cryptolocker is a ransom-ware that on execution locks the user's system thereby leaving the system in an unusable state. It also encrypts the list of file types present in the user system. It request the user to download TOR browser for decryption. The compromised user has to pay the attacker with ransom to unlock the system and to get the files decrypted.

Trojan encrypts the files with following extension:

*. Odt, *. Ods, *. Odp, *. MDGs *. Odc, *. ODB, *. Doc, *. Docx, *. Docm, *. WPS *. xls, *. xlsx, *. xlsm, *. xlsb, *. XLK, *. ppt, *. pptx, *. pptm, *. mdb, *. accdb, *. pst, *. dwg, *. dxf, *. DXG, *. wpd, *. rtf, *. wb2, *. mdf, *. dbf, *. psd, *. PDD, *. pdf, *. eps, *. ai, *. indd, *. cdr *. jpg, *. jpe, *. jpg, *. dng, *. 3fr, *. ARW, *. SRF *. sr2, *. bay, *. crw, *. cr2, *. dcr, *. KDC, *. erf, *. mef, *. MRW, *. nef, *. nrw, *. orf, *. raf, *. raw, *. RWL, *. rw2, *. r3d, *. PTX, *. PEF, *. SRW, *. x3f, *. der, *. heaven *. crt, *. pem, *. pfx, *. p12, *. p7b, *. p7c

Upon execution the Trojan tries to injects into iexplorer.exe and connects to the following IP’s through remote ports 3070

146.[Removed].33
96.[Removed].25
65.[Removed].20
64.[Removed]33

Upon Execution, the Trojan drops files into the following location

  • %Temp%\00007415\!!!READ_THIS!!!.html
  • %Temp%\00007415\manifest.txt.encrypted
  • %SystemDrive%\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Internet Explorer\!!!READ_THIS!!!.html
  • %SystemDrive%\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt.encrypted
  • %SystemDrive%\WINDOWS\awyzumq.html

The above registry key ensures it drops the image, html or text file to alert the user that the files are encrypted and request them to decrypt the file by paying.

  • %SystemDrive%\WINDOWS\okokaviz.exe

The following registry keys have been added to the system.

  • HKEY_USERS\S-1-5-21-[Varies]\Software\BitTorrent Application
  • HKEY_USERS\S-1-5-21-[Varies]\Software\BitTorrent Application\Configuration

The following registry key values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yfynajol: "%windir%\okokaviz.exe"

The above mentioned registry value ensures that the Trojan gets executed whenever the System starts.

  • HKEY_USERS\S-1-5-21-[Varies]\Software\Bit Torrent Application\Configuration\01000000:[Binary Data]
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Bit Torrent Application\Configuration\02000000:[Binary Data]
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Bit Torrent Application\Configuration\03000000:[Binary Data]
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Bit Torrent Application\Configuration\00000000:[Binary Data]
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Bit Torrent Application\Configuration\04000000:[Binary Data]
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Bit Torrent Application\Configuration\05000000:[Binary Data]

The following registry key values have been modified to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0048F8D37B153F6EA2798C323EF4F318A5624A9E\Blob:[Binary Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0048F8D37B153F6EA2798C323EF4F318A5624A9E\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099\Blob:[Binary Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F55E8839BAC30728BE7108EDE7B0BB0D3298224\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F55E8839BAC30728BE7108EDE7B0BB0D3298224\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\209900B63D955728140CD13622D8C687A4EB0085\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\209900B63D955728140CD13622D8C687A4EB0085\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\216B2A29E62A00CE820146D8244141B92511B279\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\216B2A29E62A00CE820146D8244141B92511B279\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47AFB915CDA26D82467B97FA42914468726138DD\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E\Blob:[Binary Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9\Blob:[Binary Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9\Blob:[Binary Data] 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C\Blob:[Binary Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C\Blob:[Binary Data] 


Once crytolocker encrypts all files in the system it displays the following alert image to the user for restoring.



 



-----------------Updated on August 1st 2014--------------------

Aliases -

  • Microsoft    -    Ransom:Win32/Crilock.D
  • Symantec    -    Trojan.Cryptolocker.F

Characteristics -

“Ransom-O” is a generic detection for the Trojan which belongs to Ransom Cryptolocker. Cryptolocker is a ransom-ware that on execution locks the user's system thereby leaving the system in an unusable state. It also encrypts the list of file types present in the user system. The compromised user has to pay the attacker with ransom to unlock the system and to get the files decrypted.

Trojan encrypts the files with following extension:

*. Odt, *. Ods, *. Odp, *. MDGs *. Odc, *. ODB, *. Doc, *. Docx, *. Docm, *. WPS *. xls, *. xlsx, *. xlsm, *. xlsb, *. XLK, *. ppt, *. pptx, *. pptm, *. mdb, *. accdb, *. pst, *. dwg, *. dxf, *. DXG, *. wpd, *. rtf, *. wb2, *. mdf, *. dbf, *. psd, *. PDD, *. pdf, *. eps, *. ai, *. indd, *. cdr *. jpg, *. jpe, *. jpg, *. dng, *. 3fr, *. ARW, *. SRF *. sr2, *. bay, *. crw, *. cr2, *. dcr, *. KDC, *. erf, *. mef, *. MRW, *. nef, *. nrw, *. orf, *. raf, *. raw, *. RWL, *. rw2, *. r3d, *. PTX, *. PEF, *. SRW, *. x3f, *. der, *. heaven *. crt, *. pem, *. pfx, *. p12, *. p7b, *. p7c

Upon execution the Trojan tries to connects to the below IP Address

  • 146.[Removed].32
  • know[Removed]wiki.info

Upon Execution, the Trojan drops file into the following location

  • %USERPROFILE%\Desktop\!!!READ_THIS!!!.html
  • %USERPROFILE%\Desktop\Parcel Info.zip.encrypted
  • %TEMP%\00007415\!!!READ_THIS!!!.html
  • %TEMP%\00007415\manifest.txt.encrypted
  • %TEMP%\!!!READ_THIS!!!.html
  • %TEMP%\dd_clwireg.txt.encrypted
  • %TEMP%\dd_depcheck_NETFX_EXP_35.txt.encrypted
  • %TEMP%\dd_dotnetfx35install.txt.encrypted
  • %TEMP%\dd_NET_Framework20_Setup3E29.txt.encrypted
  • %TEMP%\dd_NET_Framework30_Setup3F86.txt.encrypted
  • %TEMP%\dd_NET_Framework35_MSI407B.txt.encrypted
  • %TEMP%\dd_RGB9RAST_x86.msi3E1F.txt.encrypted
  • %TEMP%\dd_wcf_retCA16E9.txt.encrypted
  • %TEMP%\dd_XPS.txt.encrypted
  • %TEMP%\uxeventlog.txt.encrypted
  • %USERPROFILE%\Templates\!!!READ_THIS!!!.html
  • %USERPROFILE%\Templates\excel.xls.encrypted
  • %USERPROFILE%\Templates\excel4.xls.encrypted
  • %USERPROFILE%\Templates\powerpnt.ppt.encrypted
  • %USERPROFILE%\Templates\quattro.wb2.encrypted
  • %USERPROFILE%\Templates\winword.doc.encrypted
  • %USERPROFILE%\Templates\winword2.doc.encrypted
  • %ALLUSERPROFILE%\Documents\My Pictures\Sample Pictures\!!!READ_THIS!!!.html
  • %ALLUSERPROFILE%\Documents\My Pictures\Sample Pictures\Blue hills.jpg.encrypted
  • %ALLUSERPROFILE%\Documents\My Pictures\Sample Pictures\Sunset.jpg.encrypted
  • %ALLUSERPROFILE%\Documents\My Pictures\Sample Pictures\Water lilies.jpg.encrypted
  • %ALLUSERPROFILE%\Documents\My Pictures\Sample Pictures\Winter.jpg.encrypted
  • %APPDATA%\Microsoft\Internet Explorer\!!!READ_THIS!!!.html
  • %APPDATA%\Microsoft\Internet Explorer\brndlog.txt.encrypted
  • %APPDATA%\Microsoft\Windows Media\11.0\!!!READ_THIS!!!.html
  • %SYSTEMDRIVE%\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\!!!READ_THIS!!!.html
  • %SYSTEMDRIVE%\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml.encrypted
  • %WINDIR%\ewymycyk.exe
  • %WINDIR%\ygelicf.html


The following registry keys have been added to the system.

  • HKEY_USER\S-1-5-21-[VARIES]\Software\6E7DB172ECD29D41C2E652A4B4C8C5E8
  • HKEY_USER\S-1-5-21-[VARIES]\Software\6E7DB172ECD29D41C2E652A4B4C8C5E8\CRYPTLIST

The following registry key values have been added to the system.

  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{GUID}: 0x00002002
  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{ GUID }: 0x00002003
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uckwufoc: "%WINDIR%\ewymycyk.exe"


The above mentioned registry key value ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

-----------------------------------------------------------------------------------------------

-----------------Updated on May 13th 2014-----------------------------------------

  • ESET-NOD32        -     Win32/Filecoder.BQ
  • Kaspersky        -     Trojan-Ransom.Win32.Blocker.eoif
  • Microsoft         -    Trojan:Win32/Crilock


Ransom-O” is a generic detection for a Trojan which drops other files into the system.

Trojan also connects to the following URLs.

  • lvm[Removed]gupf.net
  • fkf[Removed]ob.org
  • sga[Removed]pq.co.uk
  • hh[Removed]qv.info
  • ud[Removed]pic.com
  • ji[Removed]cou.net
  • we[Removed]pr.biz
  • hn[Removed]dmo.ru
  • ix[Removed]mb.org
  • jo[Removed]dd.co.uk
  • ky[Removed]md.info
  • ll[Removed]qd.com
  • mvq[Removed]qw.net
  • nmt[Removed]q.biz
  • owo[Removed]xx.ru
  • yll[Removed]fu.org
  • mj[Removed]kn.co.uk
  • at[Removed]iv.info
  • nrw[Removed]iww.com
  • bu[Removed]uwb.net
  • os[Removed]up.biz
  • cd[Removed]uhs.ru
  • pb[Removed]mop.org
  • hc[Removed]jbo.co.uk
  • io[Removed]qp.info
  • ikg[Removed]qpx.com
  • jwh[Removed]rq.net
  • jl[Removed]yc.biz
  • kxc[Removed]hy.ru
  • kt[Removed]uc.org
  • lgm[Removed]pq.co.uk
  • rv[Removed]x.info
  • ft[Removed]dwp.com
  • tbx[Removed]gp.net
  • hyy[Removed]kop.biz
  • tfs[Removed]wwu.ru
  • hd[Removed]oki.org
  • vk[Removed]cv.co.uk
  • jie[Removed]odr.info
  • amx[Removed]olb.com
  • byy[Removed]oqb.net

The following files have been added to the system.

  • %userprofile%\LocalSettings\ApplicationData\Zkauhxfbmpubhr.exe


The following registry key values have been added to the system.


  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker: ""%userprofile%\LocalSettings\ApplicationData\Zkauhxfbmpubhr.exe""
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker: ""
  • %userprofile%\LocalSettings\ApplicationData\Zkauhxfbmpubhr.exe""


The above registry entry ensures that the Trojan gets executed, whenever the system gets rebooted.



----------------------Updated on March 03, 2014 ---------------

Aliases –

  • Kaspersky    -    Trojan-Ransom.Win32.Blocker.dwql
  • Ikarus        -    Trojan-Ransom.Win32.Blocker
  • Microsoft    -    Trojan:Win32/Uniemv.A

Characteristics –
Ransom-O” is a generic detection Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. 


The Trojan tries to get the system details and other information using the following commands.

  • cmd /C "systeminfo.exe > %s"
  • cmd /C "echo -------- >> %s"
  • cmd /C "tasklist.exe /SVC >> %s"
  • cmd /C "driverquery.exe >> %s"
  • cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> %s"
  • cmd /C "net.exe view >> %s"

Upon execution the Trojan tries to connect the following IP’s & URL’s

  • 5.[Removed].134
  • 66. [Removed]133
  • 66. [Removed].134
  • ltc.giv[Removed]ins.com
  • vis[Removed]ista.com
  • usteep[Removed]hoaboochu.ru
  • idioti[Removed]acher.ru
  • pil[Removed]pdown.ru
  • ochup[Removed]udokoowh.ru
  • pooch[Removed]achic.ru
  • usteep[Removed]hoaboochu.ru

Upon execution, it tries to copy itself to the following location

  • %APPDATA%\vmware-unity.exe

The following are the registry key’s added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters

The following are the registry key values added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs: 0x00003A98
  • HKEY_USERS\S-1-5-{Varies}\Software\Microsoft\Windows\CurrentVersion\Run\vmware-unity: "%APPDATA%\vmware-unity.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every reboot.

------------------------------------------------------------------------------

-----------Updated on 09 Oct 2013-----------

Aliases

  • NOD32    -    Win32/Filecoder.BQ
  • Kaspersky    -    Trojan-Ransom.Win32.Blocker.cjea
  • Microsoft    -    Trojan:Win32/Crilock.A

Characteristics –

“Ransom-O” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. The Trojan may delete itself after the execution.  

Upon execution the Trojan injects code into explorer.exe and tries to connect to the following IP/Address:

  • ykqd[Removed]eccrd.info
  • ajoh[Removed]iyrc.net
  • apoa[Removed]uinaa.net
  • ytum[Removed]itsdr.info
  • adrh[Removed]lkphk.com
  • ymt[Removed]fntafx.ru
  • aheer[Removed]dojo.co.uk
  • aqpd[Removed]xpwn.org
  • yasgy[Removed]txob.biz
  • akne[Removed]qcghbp.ru
  • 46. [Removed].185
  • 5.45.[Removed].145
  • 5.45. [Removed].103

The following are the registry key values added to the system

  • HKEY_USER\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\ CryptoLocker: ""%AppData%\Orbxjpmrekprlfxd.exe""


The following is the file added to the system

  • %AppData%\Orbxjpmrekprlfxd.exe

---------------------------------------------------------------------------


-----Updated on 24 September 2013--------------------------

Aliases

  • Kaspersky    -    Trojan-Ransom.Win32.Blocker.cjea

Characteristics –


Ransom-O” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. The Trojan may delete itself after the execution. 

Upon execution the Trojan injects code into explorer.exe and tries to connect to the following IP/Address:

  • Rcoxshll[Removed]dxie.org
  • yoqm[Removed]hsdb.info
  • mdtkis[Removed]di.com
  • anojn[Removed]rypi.net
  • hma[Removed]gedetk.biz
  • uwus[Removed]qnegb.ru
  • ilxqtn[Removed]nkgb.org
  • vvsp[Removed]jxksb.co.uk
  • pwej[Removed]vodc.info
  • qsyua[Removed]dehb.com
  • 93. [Removed],44.187
  • 95. [Removed].8.39
  • 92. [Removed].132.27
  • 81. [Removed].170.166

 


The following are the registry key values added to the system

  • HKEY_USER\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\ Run\CryptoLocker: ""%AppData%\Qssthpsupcyjlvv.exe""


The following is the file added to the system

  • %AppData%\Qssthpsupcyjlvv.exe


-----Updated on 27 August 2012---

Aliases –

Norman - W32/RansomCrypt.C (trojan)
Kaspersky - Trojan-Dropper.Win32.Injector.emfl
Microsoft - VirTool:Win32/VBInject.gen!IT [generic]
NOD32 - Win32/Injector.QBK trojan (variant)

"Ransom-O " is a Trojan that encrypts all files excluding exe and dll. It also prevents the user from accessing those encrypted files. When user tries to open those files, it requests the user to enter the password in order to decrypt.
Upon execution the Trojan tries to encrypt all files excluding exe and dll and rename the encrypted files as below

[Filename].EnCiPhErEd

It also changes the icon of the encrypted files as below

Upon execution, it tries to copy itself to the following location

%temp%\t5JPTM68io8eV4E.exe

It also drops a text file in all the folders as HOW TO DECRYPT FILES.txt which has the information on how to decrypt the file.

The below are the registry keys has been added to the system

  • HKLM\SOFTWARE\Classes\.EnCiPhErEd
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\DefaultIcon
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\shell
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\shell\open
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\shell\open\command

The below are the registry values has been modified to the system

  • HKLM\SOFTWARE\Classes\.EnCiPhErEd\: "TTWJFKXKEEYEITY"
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\shell\open\command\: "%temp%\t5JPTM68io8eV4E.exe"

The above mentioned registry ensures that, the Trojan execute itself when the user tried to open the encrypted files.

  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\DefaultIcon\: "%temp%\t5JPTM68io8eV4E.exe,0"
  • HKLM\SOFTWARE\Classes\TTWJFKXKEEYEITY\: "CRYPTED!"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Alcmeter: "%temp%\t5JPTM68io8eV4E.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.

Following are pop up when user tried to open the encrypted files

-----Updated on Feb 24, 2012----

Aliases -

  • AntiVir - TR/Ransom.DW
  • Ikarus - Trojan.Win32.Lebag
  • Kaspersky - Trojan-Ransom.Win32.Foreign.aiq
  • Microsoft - Trojan:Win32/Ransom.EJ

Upon execution the Trojan connects to the following site [removed]cwow.zapto.org   through the remote port 53.
On execution it copies itself to the below mentioned location.

  • %Appdata%\Microsoft\torrent.exe

The following registry value has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
    {F6FDEA0B-36ED-11D9-AAF5-806D6172696F} = "%Appdata%\Microsoft\torrent.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

Once executed, the file runs silently and the following GUI alert message appear on the screen like below after infection. Also it asks the user to pay money to unlock the system.

It attempt(s) the following network connections.

  • [removed]ld23322.ru
  • [removed]zld12222133.ru

[Note: C:\Documents and Settings\[User]\Application Data is %Appdata%]

------------------------

-----Updated on October 19, 2011----

Aliases

  • Kaspersky - Trojan-Dropper.Win32.Dapato.ksp
  • NOD32     - a variant of Win32/Kryptik.UCW
  • Ikarus       - Trojan.Win32.Ransom
  • Microsoft - Trojan:Win32/Ransom.DU

Ransom-O is a trojan that on execution tries to lock the user's system. The user has to pay the attacker to unlock the system.

When executed the Trojan it tries to connect to the site ajdm[Removed]ok.com through a remote port 80.

When executed it copies itself into the following location:

  • %Appdata%\mahmud.exe

The following registry value has been added.

  • [HKEY_LOCAL_MACHINESoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    “Shell" = "%Appdata%\mahmud.exe"

The above mentioned registry ensures that the Trojan registers itself with the compromised system and execute upon every reboot.

Once executed, the file runs silently and the following Gui alert message appear on the screen like the one below after infection.

It immediately removes itself from the location it was run from.

The above translates as:

Attention! Illegal process was detected and the system has been locked. The user's IP were called pages with content pornography

It asks the user to pay money to unlock the system.

-------------------------------------------------------------------------------------------

Ransom-O is a trojan that on execution tries to block the internet access on the user's system.The user has to pay with an sms message for the attackers' software to re-enable internet access.

The distributed file is called "ufast-manager.exe" , having a filesize of 233.472 bytes decimal. Upon running, the file runs silently, no gui messages appear on the screen.  It immediately removes itself from the location it was run from.

This file is a multidropper, a bundle of a malware file and inncocent files.

The following malicious file is dropped onto the system:

  • propertyufastmanager.exe, having a filesize of 96.256 bytes decimal.  

It may be dropped to locations similar to:

  • c:\Documents and Settings\user##.######\Application Data\uFast Download Manager\PropetyuFastManager.exe

The following registry changes are made to the host:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Accessories\Communications "Order"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Accessories "Order"

The following regular files are also dropped onto the system:

  • ufastmanager.exe, having a filesize of 244.224 bytes decimal 
  • uninstall.exe, having a filesize of 47.134 bytes decimal 

The files get placed into the folder:  %Drive%\Program Files\uFast Download Manager.

An alert like the one below may appear after infection:

 

The above translates as:

Internet Access is blocked due to violation of

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95