TROJ_CRYPTCTB.NZH

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %Windows%\Tasks\{random filename2}.job
• %System Root%\{randomly selected path}!Decrypt-All-Files-{random 7 letters}.txt
• %System Root%\{randomly selected path}!Decrypt-All-Files-{random 7 letters}.bmp
• %All Users Profile%\Application Data\{randomly selected path}\{random filename3} - for Windows XP and below.
• %AppDataLocal%\{randomly selected path}\{random filename3} - for Windows 7 and above.

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %User Temp%\{random filename1}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• ip.telize.com

It connects to the following possibly malicious URL:

• {BLOCKED}bmvfnw4wp4.{BLOCKED}on.cab
• {BLOCKED}bmvfnw4wp4.tor2web.{BLOCKED}gie.de
• {BLOCKED}bmvfnw4wp4.tor2web.fi
• {BLOCKED}bmvfnw4wp4.tor2web.org

It encrypts files with the following extensions:

• 3fr
• 7z
• abu
• accdb
• ai
• arp
• arw
• bas
• bay
• bdcr
• bdcu
• bdd
• bdp
• bds
• blend
• bpdr
• bpdu
• bsdr
• bsdu
• c
• cdr
• cer
• config
• cpp
• cr2
• crt
• crw
• cs
• dbf
• dbx
• dcr
• dd
• dds
• der
• dng
• doc
• docm
• docx
• dwg
• dxf
• dxg
• eps
• erf
• fdb
• gdb
• groups
• gsd
• gsf
• ims
• indd
• iss
• jpe
• jpeg
• jpg
• js
• kdc
• kwm
• md
• mdb
• mdf
• mef
• mrw
• nef
• nrw
• odb
• odm
• odp
• ods
• odt
• orf
• p12
• p7b
• p7c
• pas
• pdd
• pdf
• pef
• pem
• pfx
• php
• pl
• ppt
• pptm
• pptx
• pst
• ptx
• pwm
• py
• r3d
• raf
• rar
• raw
• rgx
• rik
• rtf
• rw2
• rwl
• safe
• sql
• srf
• srw
• txt
• vsd
• wb2
• wpd
• wps
• xlk
• xls
• xlsb
• xlsm
• xlsx
• zip