RANSOM_ELFACRYPT.A
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Spammed via email, Downloaded from the Internet, Dropped by other malware
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.
It deletes itself after execution.
TECHNICAL DETAILS
72,201 bytes
Yes
Drops files, Encrypts files
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- {folders containing encrypted files}\Read Me (How Decrypt) !!!!.txt
It drops the following copies of itself into the affected system:
- %Application Data%\Windows\svchost.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It leaves text files that serve as ransom notes containing the following:
- Greetings, We'd like to apologize for the inconveniences, however, your computer has been locked. In order to unlock it, you have to complete the following steps: 1. Buy iTunes Gift Cards for a total amount of $400.00 2. Send the gift codes to the indicated e-mail address 3. Receive a code and a file that will unlock your computer. Please note:, - The nominal amount of the particular gift card doesn't matter, yet the total amount have to be as listed above. - You can buy the iTunes Gift Cards online or in any shop. The codes must be correct, otherwise, you won't receive anything. - After receiving the code and the security file, your computer will be unlocked and will never be locked again. Sorry for the inconveniences caused.
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft = %Application Data%\Windows\svchost.exe
Other System Modifications
This Trojan adds the following registry entries to disable the Task Manager:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"
Other Details
This Trojan encrypts files with the following extensions:
- .3ds
- .3fr
- .3pr
- .ab4
- .ac2
- .accdb
- .accde
- .accdr
- .accdt
- .acr
- .adb
- .agd1
- .ai
- .ait
- .al
- .apj
- .arw
- .asm
- .asp
- .aspx
- .awg
- .backup
- .backupdb
- .bak
- .bat
- .bdb
- .bgt
- .bik
- .bkp
- .blend
- .bmp
- .bpw
- .c
- .c
- .cdf
- .cdr
- .cdr3
- .cdr4
- .cdr5
- .cdr6
- .cdrw
- .cdx
- .ce1
- .ce2
- .cer
- .cfp
- .cgm
- .cib
- .class
- .cls
- .cmd
- .cmt
- .cpi
- .cpp
- .cr2
- .craw
- .crt
- .crw
- .cs
- .csh
- .csl
- .css
- .csv
- .dac
- .db
- .db3
- .dbf
- .db-journal
- .dc2
- .dcr
- .dcs
- .ddd
- .ddoc
- .ddrw
- .der
- .design
- .dgc
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotm
- .dotx
- .drf
- .drw
- .dwg
- .dxb
- .erbsql
- .erf
- .exf
- .fdb
- .ffd
- .fff
- .fh
- .fhd
- .fpx
- .fxg
- .gif
- .gray
- .grey
- .gry
- .h
- .h
- .hbk
- .hpp
- .html
- .ibank
- .ibd
- .ibz
- .idx
- .iiq
- .incpas
- .jar
- .java
- .jpeg
- .jpg
- .js
- .kc2
- .kdbx
- .kdc
- .kpdx
- .lua
- .mdb
- .mdc
- .mef
- .mfw
- .mmw
- .moneywell
- .mos
- .mpg
- .mrw
- .myd
- .ndd
- .nef
- .nop
- .nrw
- .ns2
- .ns3
- .ns4
- .nsd
- .nsf
- .nsg
- .nsh
- .nwb
- .nx1
- .nx2
- .nyf
- .odb
- .odf
- .odg
- .odm
- .odp
- .ods
- .odt
- .orf
- .otg
- .oth
- .otp
- .ots
- .ott
- .p12
- .p7b
- .p7c
- .pat
- .pcd
- .pef
- .pem
- .pfx
- .php
- .pl
- .png
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppsx
- .ppt
- .pptm
- .pptx
- .ps
- .psafe3
- .psd
- .ptx
- .py
- .ra2
- .raf
- .raw
- .rdb
- .rtf
- .rw2
- .rwl
- .rwz
- .s3db
- .sas7bdat
- .sav
- .sd0
- .sd1
- .sda
- .sdf
- .sldm
- .sldx
- .sln
- .sql
- .sqlite
- .sqlite3
- .sqlitedb
- .sr2
- .srf
- .srw
- .st4
- .st5
- .st6
- .st7
- .st8
- .stc
- .std
- .sti
- .stw
- .stx
- .svg
- .sxc
- .sxd
- .sxg
- .sxi
- .sxm
- .sxw
- .txt
- .vb .vbs
- .wb2
- .x3f
- .xla
- .xlam
- .xll
- .xlm
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xml
- .ycbcra
It renames encrypted files using the following names:
- {original file name and extension}.encrypt
It does the following:
- It encrypts files in the ff folders:
- Desktop
- Programs
- Personal
- MyDocuments
- Favorites
- Startup
- Recent
- SendTo
- StartMenu
- MyMusic
- DesktopDirectory
- MyComputer
- Templates
- ApplicationData
- LocalApplicationData
- InternetCache
- Cookies
- History
- CommonApplicationData
- System
- ProgramFiles
- MyPictures
- CommonProgramFiles
It deletes itself after execution.
SOLUTION
9.800
12.546.08
24 May 2016
12.547.00
25 May 2016
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Search and delete this file
*Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).
• For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
- Open a Windows Explorer window.
- For Windows Vista, 7, and Server 2008 users, click Start>Computer.
- For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
- In the Search Computer/This PC input box, type:
DATA_GENERIC - Once located, select the file then press SHIFT+DELETE to delete it.
*Note: Read the following Microsoft page if these steps do not work on Windows 7.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Microsoft = "%Application Data%\Windows\svchost.exe"
- Microsoft = "%Application Data%\Windows\svchost.exe"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr = "1"
- DisableTaskMgr = "1"
Step 5
Scan your computer with your Trend Micro product to delete files detected as RANSOM_ELFACRYPT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Restore encrypted files from backup.
Did this description help? Tell us how we did.