TROJ_ELDORADO.QI
Trojan-Ransom.Win32.Blocker.himi (Kaspersky),
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It terminates itself if it detects it is being run in a virtual environment.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Application Data%\{random}.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following files:
- %User Temp%\{random}.bat
- %Application Data%\Microsoft\Address Book\{user}.wab
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKCU\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = %Application Data%\{random}.exe
Other Details
This Trojan terminates itself if it detects it is being run in a virtual environment.
Mobile Malware Routine
This Trojan accesses the following possibly malicious URL(s):
- {BLOCKED}tution.org
- {BLOCKED}hothenowrema.ru
- {BLOCKED}ecitipurpose.ru
- {BLOCKED}esuchandffastation.ru
NOTES:
The malware checks if it is running in a virtual machine by searching for the following strings in certain registry entries:
- vbox
- qemu
- vmware
- virtual hd