RANSOM_CRYPREN.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Profile%\5.png
• %User Profile%\gfggg.lnk (points to 5.png)
• {malware path}\help-decrypt-file.enc

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops and executes the following files:

• %User Profile%\42.exe (detected as RANSOM_CRYPREN.A)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• My_Program_Already_Present

NOTES:

This Trojan finds files to encrypt in the following drives:

• C:\
• D:\
• E:\
• F:\
• G:\
• H:\
• T:\

The files it encrypts have their file names appended with .decoder@india.com. It drops the file \help-decrypt-file.enc whenever it finds files to encrypt.

This Trojan encrypts files using the following extensions:

• .3ds
• .3fr
• .3pr
• .ab4
• .ac2
• .accdb
• .accde
• .accdr
• .accdt
• .adb
• .ait
• .apj
• .arw
• .asp
• .awg
• .backup
• .backupdb
• .bak
• .bdb
• .bgt
• .bik
• .bkp
• .blend
• .bpw
• .cdf
• .cdr
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .cdrw
• .cdx
• .ce1
• .ce2
• .cer
• .cfp
• .cgm
• .cib
• .cls
• .cmt
• .cpi
• .crt
• .csh
• .css
• .csv
• .dac
• .db-journal
• .db3
• .dbf
• .dc2
• .dcr
• .dcs
• .ddd
• .ddoc
• .ddrw
• .der
• .design
• .dgc
• .djvu
• .dng
• .doc
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .drf
• .drw
• .dwg
• .dxb
• .erbsql
• .erf
• .exf
• .fdb
• .ffd
• .fff
• .fhd
• .fpx
• .fxg
• .gray
• .grey
• .gry
• .hbk
• .hpp
• .ibank
• .ibz
• .idb
• .idx
• .iiq
• .incpas
• .JPEG
• .JPG
• .kc2
• .kdbx
• .kdc
• .kpdx
• .lua
• .mdb
• .mdc
• .mef
• .mfw
• .mmw
• .moneywell
• .mos
• .mp3
• .mpg
• .mrw
• .myd
• .ndd
• .nef
• .nop
• .nrw
• .ns2
• .ns3
• .ns4
• .nsd
• .nsf
• .nsg
• .nsh
• .nx1
• .nx2
• .nyf
• .odb
• .odf
• .odg
• .odm
• .odp
• .ods
• .odt
• .orf
• .otg
• .oth
• .otp
• .ots
• .ott
• .p12
• .p7b
• .p7c
• .pat
• .pcd
• .pdf
• .pef
• .pem
• .pfx
• .php
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .psafe3
• .psd
• .ptx
• .ra2
• .raf
• .rar
• .raw
• .rdb
• .rtf
• .rw2
• .rwl
• .rwz
• .s3db
• .sas7bdat
• .sav
• .sda
• .sdf
• .sdo
• .sldm
• .sldx
• .sqlite
• .sqlite3
• .sqlitedb
• .sr2
• .srf
• .srw
• .st4
• .st5
• .st6
• .st7
• .st8
• .stc
• .std
• .sti
• .stw
• .stx
• .sxc
• .sxd
• .sxg
• .sxi
• .sxm
• .sxw
• .txt
• .wb2
• .x3f
• .xla
• .xlam
• .xll
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .ycbcra
• .zip