RANSOM_GULCRYPT.A

This Trojan may be downloaded by other malware/grayware from remote sites.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• TROJ_CRYPTOP.KLS

It may be downloaded from the following remote sites:

• http://{BLOCKED}ail.com/base.rar

Installation

This Trojan then creates the following non-malicious file(s):

• C:\tempfile\number.win --> this file contains the password used to archive files, this file is deleted immediately after encryption

It leaves the following text files:

• {Logical Drive}:\+{user name}_files
• C:\tempfile\number.asc --> this file is the PGP encrypted version of C:\tempfile\number.win

It leaves text files that serve as ransom notes containing the following:

• -----BEGIN PGP MESSAGE-----
  Version: 2.6.3i
  {encrypted data from C:\tempfile\number.win using PGP}
  -----END PGP MESSAGE-----
  The files are packed in archives with a password.
  Unpacked - 300 eur
  To unpack the files send two files to email: {BLOCKED}aero@gmail.com
  1) file you are reading now
  2) one packed file (no more than 1 megabyte)
  In response comes the original file and the instruction for money transfer
  (The original file is proof that it is possible to return all files to their original)
  After the transfer bitcoin, you will receive your password to archives.
  Also coming program to automatically unpack files
  Reply to your letter will come within 24 hours.
  If no response comes for more than 24 hours write to reserved e-mail: {BLOCKED}aero@mail2tor.com

NOTES:

This malware scans logical drives of the system and archives files with the following extensions:

• .cdr
• .dbf
• .doc
• .eps
• .jpg
• .pdf
• .pek
• .psd
• .tif
• .txt
• jpeg

The files are archived using the following command:

rar a -p{data from C:\tempfile\number.win} "{original file name}.rar" "{original file name}.extension"