RANSOM_VINDOWS.A
Trojan-Ransom.Win32.Crypmodadv.xdi (Kaspersky), Trojan:Win32/Dynamer!ac (Microsoft)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
864,768 bytes
EXE
No
19 Nov 2016
Displays graphics/image, Encrypts files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Trojan displays the following images:
It encrypts files with the following extensions:
- .txt
- .doc
- .docx
- .xls
- .xlsx
- .ppt
- .pptx
- .odt
- .jpg
- .png
- .csv
- .sql
- .mdb
- .sln
- .php
- .asp
- .aspx
- .html
- .xml
- .psd
NOTES:
Instead of using a server, this ransomware is capable of using a Pastebin feature to store the acquired GUID of the infected computer.
In this feature, it uses the following URL:
- http://{BLOCKED}in.com/api/api_post.php
It also uses the following API keys to send data:
- api_dev_key
- api_option
- api_paste_code
- api_paste_private
- api_paste_name
- api_paste_expire_date
- api_paste_format
- api_user_key
SOLUTION
9.800
12.918.04
19 Nov 2016
12.919.00
20 Nov 2016
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as RANSOM_VINDOWS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 3
Restore encrypted files from backup.
Did this description help? Tell us how we did.