Home / malwarePDF  

Trojan.Rensom.B


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Rensom.B is also known as Trojan-Ransom.Win32.VB.a, W32.Randsom.A, Win32.Bogoj.B.

Explanation :

The malware is probably received via an email with the name: "Skype.exe".

When run, it drops three files:
%windows%lsass.exe ( detected: Trojan.Rensom.B)%windows%services.exe ( detected: Trojan.VB.NXI )%windows%uninstlv16.exe ( detected: Trojan.Rensom.B )
As the malicious file is running, a forged error message impersonating a system message is displayed. As the alleged system message gets displayed,the binary files dropped by the main executable perform specific actions:

The file "%windows%lsass.exe" encrypts almost all of your files (but it skips the critical files from Windows), probably using Rijndael to encrypt them. After it has done encrypting a part of your files, a window with the following text is displayed:

"Hello,
As you probably already noticed, your files on this PC/laptop are encrypted.
That means you can't use them before you decrypt them.
Decrypting these files without password and proper software is impossible.
I'm the only person in the world who has password and software you need to decrypt your files.
If you want to get ALL your files back to normal, that is,
decrypt them, you'll have to buy decryptor. To buy decrypting tool contact me at: [removed]@yahoo.com or [removed]@gmail.com.
I'll reply within hour or two, and you can have your files back within few minutes after that.
Price for decryptor and password is ow, so anyone affected by my encryptor could afford buying it.
I'll also help you delete my encryptor, that you installed on this machine without realizing that.

Also note that most of your private information is collected and sent to me.
In case you don't contact me, I'll sell your private information data (like email account logins, credit card numbers, paypal account logins, etc).
In case you do contact me and we reach agreement, I'll also remove spying tool from your machine,and your private information will be destroyed from my system.

IMPORTANT:
If you want to get your data back, do not remove or install anything on this machine from now on, until you decrypt
all your files.
As I told you already, I'll reply in shortest possible time, most probably minutes, or in worst case few hours after you send me your message. I'm sorry for trouble I caused you, but this is mostly your fault :)
I hope we will solve your computer problem, and I'm looking for friendly relationship with you.

Please be smart :=)

Good day. "

The files "%windows%services.exe" and "%windows%uninstlv16.exe" spread the original malware infection to all available removable disks. It copies the malware with the name "Skype.exe" and creates an "autorun.inf" in order for the file to be executed when the removable disk is plugged into another computer.

At the moment, BitDefender can not provide users with a decryption algorithm, as the key used by the malware author(s) varies from one infection to another.

Last update 21 November 2011

 

TOP