Analysis by: Michelle Morales

ALIASES:

Ransom:Win32/Gulcrypt.B (Microsoft);

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan may be downloaded by other malware/grayware from remote sites.

  TECHNICAL DETAILS

File Size: 22,528 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 12 Feb 2015

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

It may be downloaded from the following remote sites:

  • http://{BLOCKED}ail.com/base.rar

Installation

This Trojan then creates the following non-malicious file(s):

  • C:\tempfile\number.win --> this file contains the password used to archive files, this file is deleted immediately after encryption

It leaves the following text files:

  • {Logical Drive}:\+{user name}_files
  • C:\tempfile\number.asc --> this file is the PGP encrypted version of C:\tempfile\number.win

It leaves text files that serve as ransom notes containing the following:

  • -----BEGIN PGP MESSAGE-----
    Version: 2.6.3i
    {encrypted data from C:\tempfile\number.win using PGP}
    -----END PGP MESSAGE-----
    The files are packed in archives with a password.
    Unpacked - 300 eur
    To unpack the files send two files to email: {BLOCKED}aero@gmail.com
    1) file you are reading now
    2) one packed file (no more than 1 megabyte)
    In response comes the original file and the instruction for money transfer
    (The original file is proof that it is possible to return all files to their original)
    After the transfer bitcoin, you will receive your password to archives.
    Also coming program to automatically unpack files
    Reply to your letter will come within 24 hours.
    If no response comes for more than 24 hours write to reserved e-mail: {BLOCKED}aero@mail2tor.com

NOTES:

This malware scans for the logical drives of the system and archives files with the following extensions:

  • .cdr
  • .dbf
  • .doc
  • .eps
  • .jpg
  • .pdf
  • .pek
  • .psd
  • .tif
  • .txt
  • .jpeg

Files are archived using the following command:

rar a -p{data from C:\tempfile\number.win}
"{original file name}.rar" "{original file name}.extension"

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 11.474.06
FIRST VSAPI PATTERN DATE: 12 Feb 2015
VSAPI OPR PATTERN File: 11.457.00
VSAPI OPR PATTERN Date: 13 Feb 2015

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file that dropped/downloaded TROJ_GULCRYPT.A. (Note: Please skip this step if the threat(s) listed below have already been removed.)

Step 3

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • {Logical Drive}:\+{user name}_files
  • C:\tempfile\number.asc

Step 4

Scan your computer with your Trend Micro product to delete files detected as TROJ_GULCRYPT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Restore files from backup.


Did this description help? Tell us how we did.

Related Malware