TROJ_RANSOM.NIL

This Trojan may arrive bundled with malware packages as a malware component.

It requires its main component to successfully perform its intended routine.

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Program Files%\МониторингЭО\SbisMon.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other Details

This Trojan requires its main component to successfully perform its intended routine.

NOTES:

This Trojan accepts the following parameters to perform its intended routines:

• -a (for encryption)
• -s (for dropping its copy)

It encrypts most of the files in the affected system.

It checks the following directories first before encrypting other files:

• %Program Files%\Microsoft SQL Server
• %Program Files%\Microsoft\Exchange Server
• %Program Files%\Exchange User Monitor

It skips encrypting a file depending on the conditions. One condition is if the file is found in the following folder names:

• boot
• system volume information
• windows

Another condition is if the directory where the files is located contains the following strings:

• Program Files (except for the 3 directories mentioned above)
• recycle

Another condition is if the file has the following extensions:

• .acm
• .ax
• .bat
• .bin
• .cmd
• .com
• .cpa
• .cpl
• .dat
• .dll
• .exe
• .ime
• .inf
• .ini
• .lnk
• .lrc
• .mof
• .msc
• .msi
• .nls
• .ocx
• .olb
• .rnd
• .rs
• .scr
• .sdi
• .sys
• .tbl
• .tlb
• .tsp
• .vbs

If the file name contains the following strings:

• boot
• ntldr