TROJ_RANSOM.CQIO

 Modified by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It disables Task Manager, Registry Editor, and Folder Options.

  TECHNICAL DETAILS

File Size:

67,072 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

08 Jun 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Application Data%\Realtec\Realtecdriver.exe
  • %Application Data%\{random}\{random}.exe
  • %System%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

  • %Application Data%\Realtec
  • %Application Data%\{random}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Realtecdriver = "%Application Data%\Realtec\Realtecdriver.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
B0B2D6E3 = "%Application Data%\{random}\{random}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\{random}.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "P9KDMF.EXE"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegedit = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableRegedit = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = "1"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

Where {application name} may be any of the following:

  • msconfig.exe
  • regedit.exe
  • taskmgr.exe

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}om/a.php?id={random}&cmd=img
  • http://{BLOCKED}fo.com/a.php?id={random}&cmd=img

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.178.02

FIRST VSAPI PATTERN DATE:

08 Jun 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and delete files detected as TROJ_RANSOM.CQIO using either the Startup Disk or Recovery Console

[ Learn More ]

Step 3

To enable Registry Editor, Task Manager, and Folder options:

  1. Open Notepad. To do this:
    • For Windows 2000, XP, and Server 2003 users:
      Click Start > Run, type Notepad in the text box provided, then press Enter.
    • For Windows Vista and 7 users:
      Click Start > type NotepadOn Error Resume Next Set shl = WScript.CreateObject("WScript.Shell") shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" , then press Enter.
  2. Copy and paste the following script:
  3. Save this file asOn Error Resume Next Set shl = WScript.CreateObject("WScript.Shell") shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" On Error Resume Next Set shl = WScript.CreateObject("WScript.Shell") shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" C:RESTORE.VBS.
  4. Click Start>Run again, type C:RESTORE.VBS in the text box provided, then press Enter.
  5. Click Yes at theOn Error Resume Next Set shl = WScript.CreateObject("WScript.Shell") shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" On Error Resume Next Set shl = WScript.CreateObject("WScript.Shell") shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "0", "REG_DWORD" shl.RegWrite "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr", "0", "REG_DWORD" prompt of the message box to execute the .VBS file.

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • {application name}

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Realtecdriver = "%Application Data%\Realtec\Realtecdriver.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • B0B2D6E3 = "%Application Data%\{random}\{random}.exe"

Step 6

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: Userinit = "%System%\userinit.exe,%System%\{random}.exe,"
      To: Userinit = %System%\userinit.exe,

Step 7

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Application Data%\Realtec
  • %Application Data%\{random}

Step 8

Scan your computer with your Trend Micro product to delete files detected as TROJ_RANSOM.CQIO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Restore Safe Boot Registry Settings

To restore safe boot registry settings:

  1. Open a text editor like Notepad.
  2. Copy and paste the following script:
    • On Windows 2000:
    • On Windows Server 2003:
    • On Windows XP:
    • On Windows Vista:
    • On Windows 7:
  3. Save this file as RESTORE.REG.
  4. Execute the file RESTORE.REG.


Did this description help? Tell us how we did.