BAT_CRYPTOR.C

This Trojan may be downloaded by other malware/grayware from remote sites.

It deletes itself after execution.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• JS_DOWNCRYPT.B

It may be downloaded from the following remote sites:

• http://www.{BLOCKED}blog.net/photo/blck.keybtc

Installation

This Trojan drops the following component file(s):

• %User Temp%\UNCRYPT.txt
• %Application Data%\Desktop\UNCRYPT.txt
• %User Profile%\Desktop\UNCRYPT.txt
• %System Root%\UNCRYPT.txt
• %User Temp%\client.keybtc
• %User Temp%\genpair.keybtc
• %User Temp%\impubkey.keybtc
• %User Temp%\{random}.cmd - used to delete dropped components

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is a user's profile folder, where it usually is C:\Documents and Settings\{user name} on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name} on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other System Modifications

This Trojan deletes the following files:

• %User Temp%\*.gpg
• %User Temp%\*.lock
• %User Temp%\*.keybtc
• %Application Data%\gnupg\*.*
• %User Temp%\random_seed
• %User Temp%\*.html
• %User Temp%\*.bak
• %User Temp%\svchost.exe
• %User Temp%\*.dll
• %User Temp%\genpair.keybtc
• %User Temp%\impubkey.keybtc
• %User Temp%\secring.gpg
• %User Temp%\secring.gpg.gpg
• %User Temp%\databin.1st
• %User Temp%\bindata.cmd
• %User Temp%\UNIQUE1.BASE

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
WinHelp = "%User Temp%\UNCRYPT.txt"

Other Details

This Trojan encrypts files with the following extensions:

• .mdb
• .pdf
• .rtf
• .accdb
• .slddrw
• .zip
• .rar
• .max
• .jpg
• .xls
• .xlsx
• .doc
• .docx
• .cdr
• .dwg
• .1cd
• .cd

It requires the following additional components to properly run:

• %User Temp%\query.kbtc
• %User Temp%\trsh.kbtc

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It renames encrypted files using the following names:

• {file name and extension}.keybtc@gmail_com

It deletes itself after execution.

NOTES:

This malware renames the following files as follows:

• %User Temp%\query.kbtc to %User Temp%\svchost.exe - gpg application (non-malicious)
• %User Temp%\trsh.kbtc to %User Temp%\sdelete.exe - sysinternals sdelete (non-malicious)
• %User Temp%\UNIQUE1.BASE.gpg to %User Temp%\UNIQUE.PRIVATE
• %User Temp%\bitdatal.bin to %User Temp%\bindata.cmd

This Trojan opens the user's default browser and displays the following site:

• http://j.{BLOCKED}p/{BLOCKED}ybtc

However, the site is no longer available.

It opens the file UNCRYPT.txt which contains the ransom note :