Home / malware Ransom:Win32/Pulobe.A
First posted on 28 February 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Pulobe.A.
Explanation :
Installation
This ransomware only runs properly if you have administrator rights.
When executed, this ransomware drops the following copy of itself:
%APPDATA%\roaming\trust.exe
It creates the following registry entry so that the ransom note is displayed every time the PC starts:
In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "How To Recover Encrypted Files"
With data: "mshta.exe "c:\users\administrator\how to recover encrypted files.hta"
Payload
Encrypts files
This threat encrypts files with the the following file name extensions:
.3dm
.3ds
.3fr
.3g2
.3gp
.7z
.a06
.accdb
.ach
.ai
.aiff
.arw
.asf
.asp
.asx
.avi
.back
.backup
.bak
.bay
.bin
.blend
.cdr
.cer
.cerc
.cpp
.cr2
.crt
.crw
.cs
.dat
.db
.dbf
.dcr
.dds
.der
.des
.dit
.dng
.doc
.docm
.docx
.dtd
.dwg
.dxf
.dxg
.edb
.eml
.eps
.erf
.flac
.gif
.groups
.h
.hdd
.indd
.java
.jpe
.jpeg
.jpg
.kdc
.kwm
.log
.m
.m2ts
.m4p
.mdb
.mdf
.mef
.mkv
.mov
.mp3
.mp4
.mpeg
.mpg
.mrw
.nd
.ndf
.nef
.nrw
.nvram
.odb
.odm
.odp
.ods
.odt
.ogg
.orf
.otf
.p12
.p7b
.p7c
.pct
.pdb
.pdd
.pef
.pem
.pfx
.pif
.pl
.png
.pps
.ppt
.pptm
.pptx
.prf
.ps
.psd
.pst
.ptx
.pwm
.py
.qba
.qbb
.qbm
.qbr
.qbw
.qbx
.qby
.qcow
.qcow2
.qed
.r3d
.raf
.rar
.raw
.rm
.rtf
.rvt
.rw2
.rwl
.safe
.sav
.sql
.sr2
.srf
.srt
.srw
.stm
.svg
.swf
.tex
.tga
.thm
.tlg
.txt
.vbox
.vdi
.vhd
.vhdx
.vmdk
.vmsd
.vmx
.vmxf
.vob
.wav
.wb2
.wma
.wmv
.wpd
.wps
.x3f
.xlk
.xlr
.xls
.xlsb
.xlsm
.xlsx
.xlsx3gp
.yuv
.zip
It uses the following file name extension for encrypted files:
.globe
When your PC restarts, it displays the following ransom note:
Deletes itself
This threat uses JScript to delete itself.
Analysis by Francis Tan SengLast update 28 February 2017
