TROJ_INDUSTROYER.A
Ransom:Win32/CrashOverride.A (Microsoft), a variant of Win32/Industroyer.A (ESET-NOD32)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Trojan does the following:
- It enumerates all keys on the following registry and sets the value with an empty string. This prevents the services from running properly:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- It enumerates all drives connected on the affected system and overwrites files with the following extensions:
- .paf
- .XRF
- .trc
- .SCL
- .bak
- .cid
- .scd
- .pcmp
- .pcmi
- .pcmt
- .ini
- .xml
- .CIN
- .prj
- .cxm
- .elb
- .epl
- .mdf
- .ldf
- .bkp
- .log
- .zip
- .rar
- .tar
- .exe
- .dll
- It skips overwriting files on folders that contains "Windows" in name.
- It terminates processes except the following:
audiodg.exe
conhost.exe
csrss.exe
dwm.exe
explorer.exe
lsass.exe
lsm.exe
services.exe
shutdown.exe
smss.exe
spoolss.exe
spoolsv.exe
svchost.exe
taskhost.exe
wininit.exe
winlogon.exe
wuauclt.exe
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as TROJ_INDUSTROYER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Restore modified files and registries using backup or reinstallation.
Did this description help? Tell us how we did.