RANSOM_CRYPTEAR.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It gathers certain information on the affected computer.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %Desktop%\READ_IT.txt - ransom note

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This Trojan gathers the following information on the affected computer:

• Machine Name
• User Name

NOTES:

This ransomware connects to the following website to send information:

• http://www.{BLOCKED}n.com/hidden-tear/write.php?info={MachineName}-{UserName}%20{Generated Password for decryption}

It encrypts files with the following extensions in the %User Profile% sub folders and appends .locked as the new file extension of the encrypted files:

• .txt
• .doc
• .docx
• .xls
• .xlsx
• .ppt
• .pptx
• .odt
• .jpg
• .png
• .csv
• .sql
• .mdb
• .sln
• .php
• .asp
• .aspx
• .html
• .xml
• .psd

Below is the message contained in READ_IT.txt: