Home / malwarePDF  

Win32/Dircrypt


First posted on 28 April 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Dircrypt.

Explanation :

Threat behavior

Installation

Win32/Dircrypt can spread via spam emails, or by being downloaded by other malware. It can drop a few copies of itself into these folders using random file names:

  • %ProgramFiles% \
  • %APPDATA% \
  • %TEMP%


For example:

  • %ProgramFiles% \gnucleus\brcduejm.exe
  • %APPDATA% \adobe\ankiybii.exe
  • \msnrurfv.exe
  • %TEMP% \iazkodqn.exe


It can also drop other files in your PC as part of its installation process:

  • %APPDATA% \dirty\alertwall.jpg - which might look like this:
  • %APPDATA% \dirty\dirtydecrypt.exe - which might be detected as Trojan:Win32/Dircrypt.A or Trojan:Win32/Dircrypt.B
  • %APPDATA% \dirty\dirtydecrypt.exe
  • %LOCALAPPDATA% \dirty\dirtydecrypt.exe


This threat also creates the following registry changes to that it runs automatically every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "%APPDATA%\\.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "\userinit.exe,,%ProgramFiles%\\.exe"

It also makes these registry changes as part of its installation process:

In subkey: HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB
Sets value: "F"
With data: ""

In subkey: HKLM\SAM\SAM\DOMAINS\Builtin\Aliases\00000220
Sets value: "C"
With data: ""

In subkey: HKLM\SAM\SAM\Domains\Builtin
Sets value: "F"
With data: ""

In subkeys: HKCU\Software\{} and HKLM\Software\{}
Sets value: "PeriodDisabed"
With data: "1"

This threat injects itself into these legitimate processes:

  • explorer.exe
  • svchost.exe
  • winlogon.exe


Payload

Lowers security settings

It makes your PC less secure by changing these settings:

Bypasses the proxy server, if you have one configured:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: "1"

Disables notifications about Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "DisableNotifications"
With data: "1"

Disables the Security Center service:
In subkey: HKLM\SYSTEM\ControlSet001\Services\wscsvc
Sets value: "Start"
With data: "4"

Disables the Windows Update service:
In subkey: HKLM\SYSTEM\ControlSet001\Services\wuauserv
Sets value: "Start"
With data: "4"

Disables the Security Center warning that you don't have an antivirus program installed:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"

Disables Task Manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "DisableTaskMgr"
With data: "1"

Disables Least user access (or LUA):
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: "0"

Encrypts files in your PC

This threat encrypts files in your PC. It then displays its dropped image to tell you how to recover your files by paying a ransom:





Analysis by Marianne Mallen

Symptoms

The following could indicate that you have this threat on your PC:

  • You cannot access your files; instead you see an image like this:
  • You see these entries or keys in your registry:

    In subkey: HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB
    Value: "F"
    With data: ""

    In subkey: HKLM\SAM\SAM\DOMAINS\Builtin\Aliases\00000220
    Value: "C"
    With data: ""

    In subkey: HKLM\SAM\SAM\Domains\Builtin
    Value: "F"
    With data: ""

  • You can't run Task Manager

Last update 28 April 2014

 

TOP

Malware :