Home / malwarePDF  

Trojan:Win32/Zlader.A


First posted on 18 November 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Zlader.A.

Explanation :

Threat behavior

Installation

This threat can create the following files on your PC:

  • %APPDATA% \CONFIRMATION.KEY
  • %APPDATA% \Vault.hta
  • %APPDATA% \Vault.KEY
  • C:\Vault.hta
  • C:\VAULT.KEY
  • %USERPROFILE% \desktop\Vault.hta
  • %USERPROFILE% \desktop\Vault.KEY
  • %USERPROFILE% \templates\CONFIRMATION.KEY
  • %USERPROFILE% \templates\Vault.hta
  • %USERPROFILE% \templates\Vault.KEY
  • \fontcore\fontcore.lnk
  • \fontcore\fontcore.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Fontcore"
With data: "\fontcore\fontcore.lnk"

Payload

This malware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.

It encrypts files with the following extensions:€‹

  • .1cd
  • .cdf
  • .cdr
  • .dbf
  • .doc
  • .docm
  • .docx
  • .dwg
  • .jpeg
  • .jpg
  • .mbd
  • .pdf
  • .psd
  • .rtf
  • .sqlite
  • .xls
  • .xlsm
  • .xlsx
  • .zip


It renames encrypted files using the following format:

  • .vault


It then displays a lock screen to tell you that you can recover the files using a personal link that directs you to a TOR webpage asking for payment (inaccessible at the time of writing). It displays its ransom image every time your restart your PC:



We have seen it contact the following URL which is currently unavailable:

  • hxxp://waveiscomingsoon.com/v.php?gate=void


Additional information

Read more about keeping safe online:

  • Six tips to help you stay safer online provides basic guidance on protecting devices, information, and your family on the Internet.
  • How to recognize phishing email messages, links, or phone calls provides basic guidance on discerning suspicious emails, and how to avoid its scams.




Analysis by Donna Sibangan

SymptomsThe following can indicate that you have this threat on your PC:
  • You cannot open the following types of files:
    • .1cd
    • .cdf
    • .cdr
    • .dbf
    • .doc
    • .docm
    • .docx
    • .dwg
    • .jpeg
    • .jpg
    • .mbd
    • .pdf
    • .psd
    • .rtf
    • .sqlite
    • .xls
    • .xlsm
    • .xlsx
    • .zip
  • You have these files:
    • %APPDATA% \CONFIRMATION.KEY
    • %APPDATA% \Vault.hta
    • %APPDATA% \Vault.KEY
    • C:\Vault.hta
    • C:\VAULT.KEY
    • %USERPROFILE% \desktop\Vault.hta
    • %USERPROFILE% \desktop\Vault.KEY
    • %USERPROFILE% \templates\CONFIRMATION.KEY
    • %USERPROFILE% \templates\Vault.hta
    • %USERPROFILE% \templates\Vault.KEY
    • \fontcore\fontcore.lnk
    • \fontcore\fontcore.ex
  • You see these entries or keys in your registry:
    • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "Fontcore"
      With data: "\fontcore\fontcore.lnk"
  • You see one of these lock screen:

Last update 18 November 2015

 

TOP

Malware :

Family: