RANSOM_LOCKY.DLDSAPL
(Microsoft) Ransom:Win32/Locky.A; (Malwarebytes) Ransom.Locky
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It is capable of encrypting files in the affected system.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- {folder of encrypted files}\_{number of folders encrypted}_HOWDO_text.html
It drops and executes the following files:
- %Desktop%\_HOWDO_text.bmp
- %Desktop%\_HOWDO_text.html
(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = "0"
HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = "0"
HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%Desktop%\_HOWDO_text.bmp"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.26.201/apache_handler.php
- http://{randomly generated domain}.{ru, info, biz, click, su, work, pl, org, pw, org}/apache_handler.php
It renames encrypted files using the following names:
- {unique ID per victim}-{identifier}.odin
It is capable of encrypting files in the affected system.