Home / malwarePDF  

TrojanDownloader:PowerShell/Roduk.A


First posted on 04 June 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:PowerShell/Roduk.A.

Explanation :

Threat behavior

Installation

This threat is a detection for one of Ransom:Powershell/Roduk PowerShell file component that downloads and runs Ransom:Powershell/Roduk through HTTP:

  • http://193.230.220.38/wall/encrypt.ps1


It can create the following files on your PC:

  • c:\1\locked.bmp - ransom wallpaper image
  • c:\1\reflect.dll - detected as Ransom:Win32/Roduk.A!dll
  • c:\1\t.dll - detected as Ransom:Win32/Roduk.A!dll
  • %desktop%\encrypted.htm - list of encrypted files
  • %desktop%\qwer.html - ransom html page
  • %desktop%\qwer2.html - ransom html page


Payload

Encrypts your files

This threat can search your PC for any files with the following extensions:

  • .ai
  • .crt
  • .csv
  • .db
  • .doc
  • .docm
  • .docx
  • .dotx
  • .gif
  • .jpeg
  • .jpg
  • .lnk
  • .mp3
  • .msi
  • .ods
  • .one
  • .ost
  • .p12
  • .pdf
  • .pem
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .psd
  • .pst
  • .pub
  • .rar
  • .raw
  • .rtf
  • .tif
  • .txt
  • .vsdx
  • .wma
  • .xls
  • .xlsm
  • .xlsx
  • .xml
  • .zip


It encrypts any files that it finds and displays the following messages:







Deletes backup files

This threat also tries to stop you from restoring your files from backup. It does this by:

  • Deleting shadow files to prevent you from restoring your files from a local backup
  • Disabling Startup Repair and Windows Error Recovery on system startup
  • Disabling System Restore




Analysis by Jireh Sanico

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
    • c:\1\locked.bmp - ransom wallpaper image
    • c:\1\reflect.dll - detected as Ransom:Win32/Roduk.A!dll
    • c:\1\t.dll - detected as Ransom:Win32/Roduk.A!dll
    • %desktop%\encrypted.htm - list of encrypted files
    • %desktop%\qwer.html - ransom html page
    • %desktop%\qwer2.html - ransom html page
  • You see these messages:









Last update 04 June 2015

 

TOP