TROJ_CRIBIT.H
Mal/Ransom-CE (Sophos) ,Trojan horse SHeur4.BTUZ (AVG) ,W32/Inject.MJPQ!tr (Fortinet) ,Virus.Win32.CeeInject (Ikarus) ,Trojan.Win32.Inject.mjpq (Kaspersky) ,VirTool:Win32/CeeInject.gen!KK (Microsoft) ,a variant of Win32/Injector.BCDM trojan (Eset) ,Trojan.Win32.Generic!BT (Sunbelt)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
293,224 bytes
EXE
21 Apr 2014
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %Application Data%\OneClickRemSoftware\BitCrypt.bmp
- %Application Data%\OneClickRemSoftware\del.bat
- %Application Data%\OneClickRemSoftware\passworddata.ddb
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %Application Data%\OneClickRemSoftware\{random}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It creates the following folders:
- %Application Data%\OneClickRemSoftware
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It leaves the following text files:
- %Application Data%\OneClickRemSoftware\What_happened_with_your_files.txt
- {Drive Letter}:\{folder path}\What_happened_with_your_files.txt
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Bitcomint = "%ApplicationData%\OneClickSoftware\{random}.exe"
Other Details
This Trojan encrypts files with the following extensions:
- *.abw
- *.arj
- *.asm
- *.bpg
- *.cdr
- *.cdt
- *.cdx
- *.cer
- *.css
- *.dbf
- *.dbt
- *.dbx
- *.dfm
- *.djv
- *.djvu
- *.doc
- *.docm
- *.docx
- *.dpk
- *.dpr
- *.frm
- *.jpeg
- *.jpg
- *.key
- *.lzh
- *.lzo
- *.mdb
- *.mde
- *.odc
- *.pab
- *.pas
- *.pgp
- *.php
- *.pps
- *.ppt
- *.pst
- *.rtf
- *.sql
- *.text
- *.txt
- *.vbp
- *.vsd
- *.wri
- *.xfm
- *.xlc
- *.xlk
- *.xls
- *.xlsm
- *.xlsx
- *.xlw
- *.xsf
- *.xsn
It renames encrypted files using the following names:
- {filename}.bitcrypt2