TROJ_CRYPTROLF.YMX

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %AppDataLocal%\winrar.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %All Users Profile%\Application Data\TEMP - Windows XP
• %All Users Profile%\TEMP - Windows 7 and Vista

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
winrar = "%AppDataLocal%\winrar.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Licenses

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Licenses
{R7C0DB872A3F777C0} = "{random values}"

HKEY_CURRENT_USER\Software\Licenses
{K7C0DB872A3F777C0} = "{random values}"

HKEY_CURRENT_USER\Software\Licenses
{I7B4ED451FFFFFFFF} = "{random values}"

HKEY_CURRENT_USER\Software\Licenses
{07B4ED451FFFFFFFF} = "{random values}"

HKEY_CURRENT_USER\Software
winrar = "{value which indicates its installation}"

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%User Profile%\My Documents\ttt.jpg"

(Note: The default value data of the said registry entry is {previous user wallpaper}.)

HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = "0"

(Note: The default value data of the said registry entry is {previous user value}.)

Dropping Routine

This Trojan drops the following files:

• %AppDataLocal%\winrar.rar - contains the list of files to encrypt
• %User Profile%\My Documents\ttt.jpg - wallpaper to be set after encryption
• {malware path}\mmm.bat -it deletes the initial copy of this malware.

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other Details

This Trojan encrypts files with the following extensions:

• 1cd
• 3gp
• 7z
• dbf
• doc
• docx
• dot
• dpr
• eml
• iso
• jpeg
• jpg
• mp4
• pdf
• pot
• pps
• ppsx
• pptx
• rar
• rtf
• xls
• xlsx
• zip

NOTES:

This Trojan replaces some file binaries and the original is encrypted and appending on the same file. It targets to encrypt files from drives C to Z. After encrypting files, It displays the following on the desktop: