BAT_CRYPTOR.B

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Temp%\keybtccheck.bin
• %User Temp%\sdel.cmd
• %User Temp%\KEYBTC.txt
• %User Temp%\genesis.btc
• %User Temp%\1024key.btc
• %Application Data%\KEY.PRIVATE
• %User Temp%\PRIVATE\KEY{random}.PRIVATE
• %User Temp%\secring.gpg

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops and executes the following files:

• %User Temp%\sampleautoreplicant.js - accesses sites to download malware components

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

• %User Temp%\PRIVATE

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Sysinternals\
SDelete
EulaAccepted = "1"

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}lru.org/images/coherence.btc
• http://{BLOCKED}lru.org/images/lsass.btc
• http://{BLOCKED}lru.org/images/spool.btc
• http://{BLOCKED}lru.org/images/spoolsv.btc
• http://{BLOCKED}lru.org/images/sv.btc
• http://{BLOCKED}lru.org/images/tobi.btc
• http://{BLOCKED}lru.org/images/collapse.btc

It saves the files it downloads using the following names:

• %User Temp%\coherence.btc
• %User Temp%\lsass.btc
• %User Temp%\%User Temp%\spool.btc
• %User Temp%\spoolsv.btc
• %User Temp%\sv.btc
• %User Temp%\tobi.btc
• %User Temp%\collapse.btc

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This Trojan encrypts files with the following extensions:

• .xls
• .xlsx
• .doc
• .docx
• .xlsm
• .cdr
• .slddrw
• .dwg
• .ai
• .svg
• .mdb
• .1cd
• .pdf

It renames encrypted files using the following names:

• {file name and extension}.keybtc@gmail_com

NOTES:

It encrypts files from drives B:\ to Z:\.

It renames the following files as follows:

• %Application Data%\gnupg %Application Data%\gnupg_backup{random number}
• %User Temp%\null.btc to %User Temp%\ taskmgr.exe – gpg application used to encrypt files
• %User Temp%\day.btc to %User Temp%\iconv.dll - required file to run gpg
• Combined binaries of %User Temp%\collapse.btc and %User Temp%\tobi.btc to %User Temp%\ttl.exe - Browser password dumper
• %User Temp%\lsass.btc to %User Temp%\lsass.exe - Email extractor
• %User Temp%\coherence.btc to %User Temp%\coherence.exe - getmail application
• %User Temp%\spoolsv.btc to %User Temp%\spoolsv.exe -Blat commandline program
• %User Temp%\spool.btc to %User Temp%\blat.lib - Blat library
• %User Temp%\sv.btc to %User Temp%\blat.dll - required file for Blat
• %User Temp%\sad.btc to %User Temp%\ sdelete.exe - sdelete used to delete secring.gpg and pubring.gpg
• %User Temp%\secring.gpg.gpg to %User Temp%\ KEY.PRIVATE – copy of secring.gpg encrypted

It deletes the following folder:

• %Application Data%\gnupg

This Trojan opens the user's default browser and accesses the following sites to display the ransom note:

• http://bit.ly/{BLOCKED}ngi
• http://apps.{BLOCKED}shev.com/2014/08/14/2829

It displays the following ransom note in the opened browser:

It will email {BLOCKED}btc.receiver@yandex.com the dumped browser passwords using the component spoolsv.exe (Blat) with the following information:

• Subject: New Log {random}
• Body: username- computername
• Attachment: ttl.pwd
• Server: lima.rivalserver.com:26

It may propagate by sending emails to the user's contacts.

The email template contains a link where the downloader of BAT_CRYPTOR.B is hosted.

It may use any of the following email templates: