RANSOM_CRYPTESLA.M

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It modifies the Internet Explorer Zone Settings.

It connects to certain websites to send and receive information. It deletes itself after execution. It gathers information and reports it to its servers.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Profile%\Documents\{random filename}.exe (with non-Administrator Privileges)
• %Windows%\{random filename}.exe (with Administrator Privileges)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 8765-123rvr4

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%System%\cmd.exe /c start "" "%User Profile%\Documents\{random filename}.exe "" (Note: with non-Administrator Privileges)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%System%\cmd.exe /c start "" "%Windows%\{random filename}.exe"" (Note: with Administrator Privileges)

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\zzzsys

HKEY_CURRENT_USER\Software\{Installation ID}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnabledLinkConnections = "1"

HKEY_CURRENT_USER\Software\{Installation ID}
data = {encryption information}

HKEY_CURRENT_USER\Software\zzzsys
ID = {Installation ID}

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Dropping Routine

This Trojan drops the following files:

• %User Profile%\Documents\recover_file_{random letters}.txt
• %Desktop\RECOVERY.HTM
• %Desktop\RECOVERY.TXT
• %Desktop\RECOVERY.png

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other Details

This Trojan connects to the following website to send and receive information:

• http://{BLOCKED}atramvaji.cz/modules/mod_search/wstr.php
• http://{BLOCKED}icaltrading.com/images/gallery/wstr.php
• http://{BLOCKED}alan.com/copywriting.my/image/wstr.php
• http://{BLOCKED}croll.com/cgi-bin/Templates/bstr.php
• http://music.{BLOCKED}er.com/music/Glee/bstr.php
• http://{BLOCKED}cyandadoption.com/bstr.php

It encrypts files with the following extensions:

• .docm
• .docx
• .dwg
• .dxg
• .epk
• .eps
• .erf
• .esm
• .ff
• .flv
• .forge
• .fos
• .fpk
• .fsh
• .gdb
• .gho
• .hkdb
• .hkx
• .hplg
• .hvpl
• .ibank
• .icxs
• .indd
• .itd
• .itdb
• .itl
• .itm
• .iwd
• .iwi
• .jpeg
• .jpg
• .js
• .kdb
• .kdc
• .kf
• .layout
• .lbf
• .litemod
• .lrf
• .ltx
• .lvl
• .m2
• .m3u
• .m4a
• .mcmeta
• .mdb
• .mdbackup
• .mdd
• .mddata
• .mdf
• .mef
• .menu
• .mlx
• .mov
• .mp4
• .mpqge
• .mrwref
• .ncf
• .nrw
• .ntl
• .odb
• .odc
• .odm
• .odp
• .ods
• .odt
• .orf
• .p12
• .p7b
• .p7c
• .pak
• .pdd
• .pdf
• .pef
• .pem
• .pfx
• .pkb
• .pkpass
• .png
• .ppt
• .pptm
• .pptx
• .psd
• .psk
• .pst
• .ptx
• .py
• .qdf
• .qic
• .r3d
• .raf
• .rar
• .raw
• .rb
• .re4
• .rgss3a
• .rim
• .rofl
• .rtf
• .rw2
• .rwl
• .sav
• .sb
• .sid
• .sidd
• .sidn
• .sie
• .sis
• .slm
• .snx
• .sql
• .sr2
• .srf
• .srw
• .sum
• .svg
• .syncdb
• .t12
• .t13
• .tax
• .tor
• .txt
• .upk
• .vcf
• .vdf
• .vfs
• .vfs0
• .vpk
• .vpp_pc
• .vtf
• .w3x
• .wallet
• .wb2
• .wma
• .wmo
• .wmv
• .wotreplay
• .wpd
• .wps
• .x3f
• .xf
• .xlk
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xxx
• .zip
• .ztm
• .ztmp
• .3fr
• .7z
• .accdb
• .ai
• .amp
• .apk
• .arch00
• .arw
• .asset
• .avi
• .bar
• .bay
• .bc6
• .bc7
• .big
• .bik
• .bkf
• .bkp
• .blob
• .bsa
• .cas
• .cdr
• .cer
• .cfr
• .cr2
• .crt
• .crw
• .css
• .csv
• .d3dbsp
• .das
• .dazip
• .db0
• .dba
• .dbf
• .dcr
• .der
• .desc
• .dmp
• .dng
• .doc

It opens the following files:

• %Desktop\RECOVERY.HTM
• %Desktop\RECOVERY.TXT
• %Desktop\RECOVERY.png

It deletes itself after execution.

It gathers the following information and reports it to its servers:

• Infection status
• Bitcoin address
• Total size of encrypted files
• Malware version
• OS information
• Installation ID

NOTES:

This malware deletes shadow copies by executing the following command:

%System%\wbem\WMIC.exe
shadowcopy delete /nointeractive

It terminates processes containing the following strings:

• askmg
• rocex
• egedi
• sconfi
• cmd

It appends the extension .mp3 to the file name of the encrypted files.

It avoids encrypting files from the following folders:

• Windows
• Program Files
• %All Users Profile%\Application Data - when running on Windows XP and older versions
• ProgramData - when running on Windows Vista and recent versions

It avoids encrypting files with the following strings:

• recove
• .mp3

It encrypts files in all fixed, removable, and network drives and shares.

It drops _RECoVERY_+{random letters}.png, _RECoVERY_+{random letters}.txt, and _RECoVERY_+{random letters}.html to the folders where the files are encrypted:

It does not have rootkit capabilities.

It does not exploit any vulnerability.