RANSOM_CRYSIS.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Startup%\How to decrypt your files.jpg – image used as wallpaper
• %User Startup%\How to decrypt your files.txt – ransom note
• %Desktop%\How to decrypt your files.txt – ransom note
• %User Profile%\How to decrypt your files.jpg – ransom note

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Application Data%\{malware filename}.exe
• %System%\{malware filename}.exe
• %User Startup%\{malware filename}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random 8 characters} = "%System%\{malware filename}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random 8 characters} = "%System%\{malware filename}.exe"

Other System Modifications

This Trojan modifies the following file(s):

• It encrypts files in all fixed, remote and removable drives.
• It appends the extension .id-{victim ID}.{mailrepa.lotos@aol.com}.CrySiS to the encrypted files.

  (Note: Other variants append .id-{victim ID}.{email address}.xtbl or .id-{victim ID}.{email address}.cbf)

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%User Profile%\How to decrypt your files.jpg"

(Note: The default value data of the said registry entry is {user-defined}.)

It sets the system's desktop wallpaper to the following image:

Other Details

This Trojan encrypts files with the following extensions:

• .odc
• .odm
• .odp
• .ods
• .odt
• .docm
• .docx
• .doc
• .odb
• .mp4
• sql
• .7z
• .m4a
• .rar
• .wma
• .gdb
• .tax
• .pkpass
• .bc6
• .bc7
• .avi
• .wmv
• .csv
• .d3dbsp
• .zip
• .sie
• .sum
• .ibank
• .t13
• .t12
• .qdf
• .bkp
• .qic
• .bkf
• .sidn
• .sidd
• .mddata
• .itl
• .itdb
• .icxs
• .hvpl
• .hplg
• .hkdb
• .mdbackup
• .syncdb
• .gho
• .cas
• .svg
• .map
• .wmo
• .itm
• .sb
• .fos
• .mov
• .vdf
• .ztmp
• .sis
• .sid
• .ncf
• .menu
• .layout
• .dmp
• .blob
• .esm
• .vcf
• .vtf
• .dazip
• .fpk
• .mlx
• .kf
• .iwd
• .vpk
• .tor
• .psk
• .rim
• .w3x
• .fsh
• .ntl
• .arch00
• .lvl
• .snx
• .cfr
• .ff
• .vpp_pc
• .lrf
• .m2
• .mcmeta
• .vfs0
• .mpqge
• .kdb
• .db0
• .dba
• .rofl
• .hkx
• .bar
• .upk
• .das
• .iwi
• .litemod
• .asset
• .forge
• .ltx
• .bsa
• .apk
• .re4
• .sav
• .lbf
• .slm
• .bik
• .epk
• .rgss3a
• .pak
• .big
• wallet
• .wotreplay
• .xxx
• .desc
• .py
• .m3u
• .flv
• .js
• .css
• .rb
• .png
• .jpeg
• .txt
• .p7c
• .p7b
• .p12
• .pfx
• .pem
• .crt
• .cer
• .der
• .x3f
• .srw
• .pef
• .ptx
• .r3d
• .rw2
• .rwl
• .raw
• .raf
• .orf
• .nrw
• .mrwref
• .mef
• .erf
• .kdc
• .dcr
• .cr2
• .crw
• .bay
• .sr2
• .srf
• .arw
• .3fr
• .dng
• .jpe
• .jpg
• .cdr
• .indd
• .ai
• .eps
• .pdf
• .pdd
• .psd
• .dbf
• .mdf
• .wb2
• .rtf
• .wpd
• .dxg
• .xf
• .dwg
• .pst
• .accdb
• .mdb
• .pptm
• .pptx
• .ppt
• .xlk
• .xlsb
• .xlsm
• .xlsx
• .xls
• .wps

It does the following:

• It connects to the following sites:
  • http://{BLOCKED}ika234.cc/crs/pass/index.php
  • http://{BLOCKED}ika234.cc/crs/stat/index.php
• It sends the following formatted information to the aforementioned sites:
  • submit=submit&id={ID} &guid={guid} &pc={computername} &mail={ransom contact email}
• It deletes shadow copies by executing the following command:
  • vssadmin delete shadows /all /quiet
• It avoids encrypting files/directories with the following strings:
  • %windir%
  • boot.ini
  • bootfont.bin
  • ntldr
  • ntdetect.com
  • io.sys
  • explorer.exe
  • svchost.exe

NOTES:

The dropped ransom note How to decrypt your files.txt contains the following message: