RANSOM_CRYPWALL.YUYAHM

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information.

It modifies the Internet Explorer Zone Settings.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%\{random characters}\{random characters}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %User Startup%\INSTRUCTIONS_{RANDOM HEX}.html
• %User Startup%\INSTRUCTIONS_{RANDOM HEX}.png
• %User Startup%\INSTRUCTIONS_{RANDOM HEX}.txt
• {Drive Letter}:\INSTRUCTIONS_{RANDOM HEX}.png

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

It drops and executes the following files:

• %Desktop%\INSTRUCTIONS_{RANDOM HEX}.html
• %Desktop%\INSTRUCTIONS_{RANDOM HEX}.png
• %Desktop%\INSTRUCTIONS_{RANDOM HEX}.txt

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following processes:

• svchost.exe

It is injected into the following processes running in memory:

• created svchost.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%Application Data%\{random characters}\{random characters}.exe"

Backdoor Routine

This Trojan connects to the following websites to send and receive information:

• {BLOCKED}relampago.com.br/4jiPBG.php
• {BLOCKED}ekinci.biz/Hg3V8b.php
• {BLOCKED}gou.com/Pfy2Qs.php
• {BLOCKED}info/zYNKoq.php
• {BLOCKED}.sk/g3lfoj.php
• {BLOCKED}.com.br/SGJ_Fr.php
• {BLOCKED}ka.com.ua/tjhW2B.php
• {BLOCKED}p.pl/Si0cCJ.php
• {BLOCKED}ness.be/fYvA5U.php
• {BLOCKED}trade.tk/12fDze.php
• {BLOCKED}bear.net/MRGKAC.php
• {BLOCKED}rtners.it/Dd6VPR.php
• {BLOCKED}kz/yMZFGp.php
• {BLOCKED}o.kz/LUoMqa.php
• {BLOCKED}ness.be/isB2Ac.php
• {BLOCKED}ster.kz/vUn1wz.php
• {BLOCKED}-anything.tk/PsdO76.php
• {BLOCKED}ka.com.ua/MVc9hg.php
• {BLOCKED}ightcr.com/tHja9Z.php
• {BLOCKED}y.kz/7_9SR6.php
• {BLOCKED}rticle.com/fZ1Y8M.php
• {BLOCKED}nat.ro/ZeNpML.php
• {BLOCKED}ldirim.net/zn9mur.php
• {BLOCKED}le.com.br/XAT7zH.php
• {BLOCKED}experto.pe/zOesbw.php
• {BLOCKED}orts4u.com/dfgOwA.php
• {BLOCKED}.pl/fFe_xr.php
• {BLOCKED}assescorts4u.com/Snuxg7.php
• {BLOCKED}entod.ua/I35pl6.php
• {BLOCKED}.kz/TSOXQL.php
• {BLOCKED}o.com.br/4A0Hw5.php
• {BLOCKED}dedon.com/CBRrYv.php
• {BLOCKED}gp.ir/U_ABoi.php
• {BLOCKED}obirlik.com/UxAK5e.php
• {BLOCKED}fishing.com/CXjq48.php
• {BLOCKED}music.nl/yBDEMc.php
• {BLOCKED}osautomotivos.com.br/KMYz1s.php
• {BLOCKED}ucatangob.mx/UIagAy.php
• {BLOCKED}sa.com/Zoe2aN.php
• {BLOCKED}rehberi.com/6JQEva.php
• {BLOCKED}hina.com/NSrcQE.php
• {BLOCKED}ouse.nl/iMVfC4.php
• {BLOCKED}radydrewniane.pl/Fcb7VZ.php
• {BLOCKED}anch.us/PtAg1I.php
• {BLOCKED}gloan.com/1vR9hu.php
• {BLOCKED}e-veza.sk/Owm50c.php
• {BLOCKED}om.tr/prkdzF.php
• {BLOCKED}rga.co/L8HU29.php
• {BLOCKED}lescorts4u.com/XqVFBm.php
• {BLOCKED}odalari.net/GnOLXh.php
• {BLOCKED}everka.sk/6RGZgC.php
• {BLOCKED}ociort.ro/6sZTLc.php

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Other Details

This Trojan encrypts files with the following extensions:

• pdf
• pot
• xlt
• pps
• xlw
• dot
• rtf
• ppt
• xls
• doc
• xml
• htm
• html
• hta
• zip
• dvr-ms
• wvx
• wmx
• wmv
• wm
• mpv2
• mpg
• mpeg
• mpe
• mpa
• mp2v
• mp2
• m1v
• IVF
• asx
• asf
• wax
• snd
• rmi
• m3u
• au
• aiff
• aifc
• aif
• midi
• mid
• wma
• wav
• m p3
• wmf
• tiff
• tif
• rle
• png
• jpeg
• jpe
• jpg
• jfif
• ico
• gif
• emf
• dib
• bmp

It deletes the initially executed copy of itself

NOTES:

It searches all drives for files to encrypt except CD_ROM drive.

It avoids encrypting files with the following extensions:

• vb
• scr
• reg
• pif
• msi 
• exe
• com
• cmd
• bat 
• bas 

It renames encrypted files using the following names:

• {5 to 10 alphanumeric characters}.{2 to 5 alphanumeric characters}

It displays the following ransom notes:

http://documents.trendmicro.com/images/TE/inst_html_1.jpg>