Home / malwarePDF  

Trojan.Ransomcrypt.I


First posted on 17 May 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.I.

Explanation :

When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\BitCrypt.txt %UserProfile%\Application Data\[RANDOM FILE NAME].exe %UserProfile%\Application Data\bitcrypt.ccw %UserProfile%\Application Data\BitCrypt.bmp
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Bitcomint" = ""%UserProfile%\Application Data\[RANDOM FILE NAME].exe""

It also creates the following registry entry:
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%UserProfile%\Application Data\BitCrypt.bmp"

Next, the Trojan deletes the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
The Trojan encrypts files with the following extensions on the compromised computer:
.bpg .cdr .cdt .cdx .cer .dbf .dfm .djv .djvu .doc .docm .docx .dpk .dpr .frm .js .key .lzo .mdb .mde .pas .pdf .php .ppt .rtf .text .txt .vbp .xfm .xlc .xlk .xls .xlsm .xlsx .xlw
The Trojan then appends the string .bitcrypt2 to the extension of each encrypted file. For example file.txt would be changed to file.txt.bitcrypt2

Next, it drops the following file in any folder containing files encrypted by the Trojan:
BitCrypt.txt

The Trojan disables Windows System Recovery and restricts access to Windows Boot Manager.

It then changes the desktop background image to display a note informing the user that the computer has been infected.



The Trojan then displays a ransom message, in multiple languages, asking for money for the files to be decrypted.

Last update 17 May 2014

 

TOP