TROJ_CRYPCTB.YVN
Ransom-CTB!54DD864620D6 (McAfee); Ransom:Win32/Critroni.B (Microsoft); TR/Crypt.ZPACK.128907 (Avira)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
1,261,568 bytes
EXE
Yes
16 Mar 2015
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %User Temp%\{random characters 1}.exe
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following files:
- %ProgramData%\{random characters 2}.html (contains ransom note and list of all encrypted files)
- %User Profile%\My Documents\!Decrypt-All-Files-{random characters 3}.txt (ransom note in text file)
- %User Profile%\My Documents\!Decrypt-All-Files-{random characters 3}.bmp (image used as wallpaper)
- {randomly selected path}\!Decrypt-All-Files-{random characters 3}.txt
- {randomly selected path}\!Decrypt-All-Files-{random characters 3}.bmp
(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This Trojan drops the following files:
- %System%\Tasks\{random characters 4}.job
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other System Modifications
This Trojan modifies the following registry entries:
HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = "0"
(Note: The default value data of the said registry entry is "User Preferences".)
HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%User Profile%\My Documents\!Decrypt-All-Files-{random characters 3}.bmp"
(Note: The default value data of the said registry entry is "{User Preferences}".)
NOTES:
This Trojan encrypts files with the following extensions:
- 3fr
- 7z
- abu
- accdb
- ai
- arp
- arw
- bas
- bay
- bdcr
- bdcu
- bdd
- bdp
- bds
- blend
- bpdr
- bpdu
- bsdr
- bsdu
- c
- cdr
- cer
- config
- cpp
- cr2
- crt
- crw
- cs
- dbf
- dbx
- dcr
- dd
- dds
- der
- dng
- doc
- docm
- docx
- dwg
- dxf
- dxg
- eps
- erf
- fdb
- gdb
- groups
- gsd
- gsf
- ims
- indd
- iss
- jpe
- jpeg
- jpg
- js
- kdc
- kwm
- md
- mdb
- mdf
- mef
- mrw
- nef
- nrw
- odb
- odm
- odp
- ods
- odt
- orf
- p12
- p7b
- p7c
- pas
- pdd
- pef
- pem
- pfx
- php
- pl
- ppt
- pptm
- pptx
- pst
- ptx
- pwm
- py
- r3d
- raf
- rar
- raw
- rgx
- rik
- rtf
- rw2
- rwl
- safe
- sql
- srf
- srw
- txt
- vsd
- wb2
- wpd
- wps
- xlk
- xls
- xlsb
- xlsm
- xlsx
- zip