Home / malware Trojan.Ransomcrypt.S
First posted on 23 April 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.S.
Explanation :
Trojan.Ransomcrypt.S is a Trojan horse that encrypts certain files on the compromised computer and asks the user to pay to have them decrypted.
Once executed, the Trojan copies itself to the following location:
%Temp%\reg.dll
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WINUP" = "regsvr32 "%Temp%\reg.dll"
The Trojan may then connect to the following remote location:
65.49.8.104
Next, the Trojan downloads the following files:
%Temp%\t0.da0%Temp%\t0.daa%Temp%\t0.da1
The Trojan then encrypts files on the compromised computer with the following extensions:
.txt.html.htm.css.wmv.wallt.odt.ods.odp.odm.odc.odb.doc.docx.docm.wps.xls.xlsx.xlsm.xlsb.xlk.ppt.pptx.pptm.mdb.accdb.pst.dwg.dxf.dxg.wpd.rtf.wb2.mdf.dbf.psd.pdd.pdf.eps.ai.indd.cdr.jpg.jpe.jpg.dng.3fr.arw.srf.sr2.bay.crw.cr2.dcr.kdc.erf.mef.mrw.nef.nrw.orf.raf.raw.rwl.rw2.r3d.ptx.pef.srw.x3f.der.cer.crt.pem.pfx.p12.p7b.p7c
The Trojan then drops and opens the following file:
%SystemDrive%\Documents and Settings\All Users\Desktop\HELP_DECRYPT.HTML
The Trojan displays a message on the compromised computer asking the user for payment in order to decrypt the files.Last update 23 April 2015