Analysis by: Anthony Joe Melgarejo

ALIASES:

Trojan:Win32/Monsib.A (Microsoft)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan may arrive bundled with malware packages as a malware component.

It requires its main component to successfully perform its intended routine.

  TECHNICAL DETAILS

File Size: 156,160 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 21 Aug 2013

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Program Files%\МониторингЭО\SbisMon.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other Details

This Trojan requires its main component to successfully perform its intended routine.

NOTES:

This Trojan accepts the following parameters to perform its intended routines:

  • -a (for encryption)
  • -s (for dropping its copy)

It encrypts most of the files in the affected system.

It checks the following directories first before encrypting other files:

  • %Program Files%\Microsoft SQL Server
  • %Program Files%\Microsoft\Exchange Server
  • %Program Files%\Exchange User Monitor

It skips encrypting a file depending on the conditions. One condition is if the file is found in the following folder names:

  • boot
  • system volume information
  • windows

Another condition is if the directory where the files is located contains the following strings:

  • Program Files (except for the 3 directories mentioned above)
  • recycle

Another condition is if the file has the following extensions:

  • .acm
  • .ax
  • .bat
  • .bin
  • .cmd
  • .com
  • .cpa
  • .cpl
  • .dat
  • .dll
  • .exe
  • .ime
  • .inf
  • .ini
  • .lnk
  • .lrc
  • .mof
  • .msc
  • .msi
  • .nls
  • .ocx
  • .olb
  • .rnd
  • .rs
  • .scr
  • .sdi
  • .sys
  • .tbl
  • .tlb
  • .tsp
  • .vbs

If the file name contains the following strings:

  • boot
  • ntldr

  SOLUTION

Minimum Scan Engine: 9.300

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as TROJ_RANSOM.NIL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.