RANSOM_WALTRIX.I

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following file(s)/component(s):

• %All Users Profiles%\{unique ID}.key
• %All Users Profiles%\Z - deleted afterwards. contains installation date of this malware
• %User Startup%\{unique ID}.lnk - LNK_WALTRIX.I
• {random}\!Recovery_{unique ID}.bmp - TROJ_WALTRIX.I
• {folders containing encrypted files}\!Recovery_{unique ID}.html -HTML_RANSOMNOTE.IA
• {folders containing encrypted files}\{unique ID}.html - HTML_RANSOMNOTE.IA
• {folders containing encrypted files}\!Recovery_{unique ID}.txt - ransom note
  
     where {unique ID} contains 12 hexadecimal characters

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

It adds the following processes:

• copy of the legitimate rundll32.exe named as:
  • %User Temp%\svchost.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "{random}\{unique ID}.bmp"

Information Theft

This Trojan gathers the following data:

• FTP Applications:
  
  • FlashFXP 3
  • FlashFXP 4
  • FileZilla
  • FTPRush
  • VanDyke
  • FTP Explorer
  • SmartFTP
  • TurboFTP
  • FTPRush
  • Ipswitch WS_FTP
  • Far FTP
  • Far2 FTP
  • CuteFTP 7 Professional
  • CuteFTP 8 Professional
  • CuteFTP 8 Home
  • CuteFTP 6 Professional
  • CuteFTP 6 Home
  • CuteFTP 7 Home
  • Windows Commander
  • Total Commander
  • Bullet Proof FTP
  • Bullet Proof FTP
  • Sota FFFTP
  • FTPWare COREFTP
  • FTPClient
  • SoftX.org FTPClient
• Instant Messenger Applications:
  
  • Digsby
  • MySpace
  • Pidgin
  • Trillian
  • Google Talk
  • Paltalk
• Mail Applications:
  
  • Windows Live Mail
  • Scribe
  • Outlook
  • Outlook Express
  • Internet Account Manager
• Cookies:
  
  • Chrome User Data
• Bitcoin wallet files containing the following in their file name:
  
  • WALLET
  • _WALLET
  • .WALLET

Other Details

This Trojan connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.83.197

It encrypts files with the following extensions:

• .XLSX
• .IDRC
• .DTS
• .COM
• .ODEX
• .GSC
• .SINF
• .EPS
• .VVV
• .INF
• .COM
• .WMV
• .PHP
• .AVF
• .SOB
• .SANIM
• .CCX
• .CCC
• .RESOURCES
• .RESX
• .VB
• .XXX
• .ECC
• .RAW
• .TIF
• .PDB
• .RSP
• .DPR
• .PY
• .H
• .JAVA
• .CPP
• .WPG
• .MDI
• .CREATIVETEMPL
• .IPA
• .LNK
• .CCZ
• .CNR
• .CLASS
• .SYM
• .MHT
• .CDR
• .CRYPT
• .AAA
• .AS2
• .EMF
• .DOCX
• .MD5
• .MP4
• .BPL
• .TEMPLATE
• .PDF
• .DOC
• .XLS
• .DIALOG
• .BNK
• .BMP
• .MSG
• .PPT
• .SWL
• .ILP
• .WDSEML
• .PPTX
• .CSS
• .PSD
• .AI
• .APK
• .AIF
• .REG
• .XPNG
• .GFX
• .HTML
• .PNG
• .SOL
• .VMT
• .VTF
• .VTX
• .JPG
• .MDL
• .VVD
• .PHY
• .VVD
• .SVG
• .SO
• .XPT
• .PYC
• .MICRO
• .XML
• .RUL
• .GZ
• .LOG
• .MANIFEST
• .DLL
• .ICO
• .HTM
• .LOCALSTORAGE
• .LOCALSTORAGE-JOURNAL
• .TGA
• .XNB
• .GIF
• .SWA
• .PM
• .INI
• .TXT
• .JS
• .SWF
• .WMF
• .MP3
• .PACKAGE
• .PMT
• .PTE
• .PME
• .WAV
• .DDS
• .OGG
• .SCF
• .LUA
• .IMG
• .PSPSCRIPT
• .EXE
• .URL
• .OBJ
• .MESH
• .PHYS
• .MTRL
• .OCX
• .CAB
• .SSO
• .P12
• .JSP
• .JSPX
• .TXT
• .VVV
• .JSON
• .SQF
• .PRO
• .SMO
• .TXT
• .CCC
• .SKP
• .DWG
• .DAV
• .ICO
• .DAT
• .CER
• .PVK
• .IMTL
• .TMB
• .META
• .SMALI
• .JPEG
• .CC
• .JD
• .PROPERTIES
• .FRM
• .PYD
• .CZS
• .JAR
• .CHK
• .ENCRYPTED
• .TOC
• .PNG
• .1999
• .AUTOEXEC
• .BATTHUMBS
• .DB
• .3DM
• .3DS
• .7Z
• .ACCDB
• .AES
• .AI
• .APK
• .APP
• .ARC
• .ASC
• .ASM
• .ASP
• .ASPX
• .BRD
• .BZ2
• .C
• .CER
• .CFG
• .CFM
• .CGI
• .CGM
• .CLASS
• .CMD
• .CPP
• .CRT
• .CS
• .CSR
• .CSS
• .CSV
• .CUE
• .DB
• .DBF
• .DCH
• .DCU
• .DIF
• .DIP
• .DJV
• .DJVU
• .DOC
• .DOCB
• .DOCM
• .DOCX
• .DOT
• .DOTM
• .DOTX
• .DTD
• .DWG
• .DXF
• .EML
• .EPS
• .FDB
• .FLA
• .FRM
• .GADGET
• .GBK
• .GBR
• .GED
• .GPG
• .GPX
• .GZ
• .H
• .HTM
• .HTML
• .HWP
• .IBD
• .IBOOKS
• .INDD
• .JAR
• .JAVA
• .JKS
• .JS
• .JSP
• .KEY
• .KML
• .KMZ
• .LAY
• .LAY6
• .LDF
• .LUA
• .M
• .MAX
• .MDB
• .MDF
• .MFD
• .MML
• .H
• .MS11
• .MSI
• .MYD
• .MYI
• .NEF
• .NOTE
• .OBJ
• .ODB
• .ODG
• .ODP
• .ODS
• .ODT
• .OTG
• .OTP
• .OTS
• .OTT
• .P12
• .PAGES
• .PAQ
• .PAS
• .PCT
• .PDB
• .PDF
• .PEM
• .PHP
• .PIF
• .PL
• .PLUGIN
• .POT
• .POTM
• .POTX
• .PPAM
• .PPS
• .PPSM
• .PPSX
• .PPT
• .PPTM
• .PPTX
• .PRF
• .PRIV
• .PRIVATE
• .PS
• .PSD
• .PY
• .QCOW2
• .RAR
• .RAW
• .RSS
• .RTF
• .SCH
• .SDF
• .SH
• .SITX
• .SLDX
• .SLK
• .SLN
• .SQL
• .SQLITE3
• .SQLITEDB
• .STC
• .STD
• .STI
• .STW
• .SVG
• .SWF
• .SXC
• .SXD
• .SXI
• .SXM
• .SXW
• .TAR
• .TBK
• .TEX
• .TGZ
• .TLB
• .TXT
• .UOP
• .UOT
• .VB
• .VBS
• .VCF
• .VCXPROJ
• .VDI
• .VMDK
• .VMX
• .WKS
• .WPD
• .WPS
• .WSF
• .XCODEPROJ
• .XHTML
• .XLC
• .XLM
• .XLR
• .XLS
• .XLSB
• .XLSM
• .XLSX
• .XLT
• .XLTM
• .XLTX
• .XLW
• .XML
• .ZIP
• .ZIPX
• .3G2
• .3GP
• .AIF
• .ASF
• .ASX
• .AVI
• .BMP
• .DDS
• .FLV
• .GIF
• .IFF
• .JPG
• .M3U
• .M4A
• .M4V
• .MID
• .MKV
• .MOV
• .MP3
• .MP4
• .MPA
• .MPG
• .PNG
• .PSPIMAGE
• .RA
• .RM
• .SRT
• .TGA
• .THM
• .TIF
• .TIFF
• .TMP
• .VOB
• .WAV
• .WMA
• .WMV
• .YUV

It renames encrypted files using the following names:

• {original file name}.crypt

It terminates itself if it detects it is being run in a virtual environment.

NOTES:

This malware prevents to encrypt files containing any of the strings in its full path name:

• \WINDOWS\
• \WINNT
• \RECYCLER\
• \SYSTEM^1\
• \BOOT\
• \RECOVERY\
• \$RECYCLE.BIN\
• \PERFLOGS\
• \EFI\Me
• \CONFIG.MSI\
• \PROGRA^1\
• \PROGRA^2\
• \GOOGLE\
• \TEMP\
• \CANON\
• ROAMING\APPLE
• ANTIVIRUS\
• PLUGSCAN2\
• MICROSOFT
• WINDOWS
• GOOGLE\CHROME
• PLUGINS
• \PROGRA~1\
• \PROGRA~2\
• \ALLUSE~1\
• \PROGRA~1\
• \PROGRA~2\
• \APPDATA\
• \PROGRA~3\
• \PUBLIC\
• \F4BC~1\
• \APPLIC~1\\COOKIES\
• \LOCALS~1\
• \TEMPLA~1\

It checks if it is being run in a virtual environment by checking mouse activity and querying the registry entry:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString