Home / malware Trojan:Win32/Ransom.HV
First posted on 26 July 2012.
Source: MicrosoftAliases :
Trojan:Win32/Ransom.HV is also known as Trojan-Ransom.Win32.Foreign.orb (Kaspersky), Trojan.Fakealert.30674 (Dr.Web), Ransom!fp (McAfee).
Explanation :
Trojan:Win32/Ransom.HV is a ransomware trojan that encrypts your documents. It displays a screen falsely claiming that your computer has been found involved in illegal activity. It further claims that as a result, your desktop has been locked and your files are now encrypted. It states that for you to recover access to your desktop and to decrypt your documents, you need to send a certain amount of money to a remote account.
Installation
Trojan:Win32/Ransom.HV may have the file name "svchost.exe" in a randomly-name folder in the "C:\ProgramData\" folder. Note that a legitimate Windows file named "svchost.exe" exists by default in the Windows system folder.
It creates an entry with random values and data within the subkey "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" to ensure runs every time Windows starts.
Payload
Locks your desktop and encrypts your files
Trojan:Win32/Ransom.HV searches your computer for documents. It encrypts the ones it finds and renames them using the following format:
<old document name>(!! to decrypt email id <computer ID>> to <email address> !!).exe
The encrypted files are detected as Trojan:Win32/Ransom.JC.
Trojan:Win32/Ransom.HV then locks your desktop and displays the following message, falsely claiming that your computer has been found to be involved in illegal activity:
It further states that for you to regain access to your desktop and to decrypt your documents, you need to send money to a certain email address.
Analysis by Mihai Calota
Last update 26 July 2012
