Home / malwarePDF  

Ransom:Win32/Genasom.BQ


First posted on 24 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Genasom.BQ.

Explanation :

Threat behaviorTrojan:Win32/Ransom.BQ is a trojan that encrypts data files on the local drive. The trojan displays a message requesting a sum of money in exchange for decryption of the files.

Installation

This trojan may be installed when visiting a compromised website via a PDF exploit that allows the download and execution of arbitrary code. When the trojan runs, it creates a text file on the Windows desktop named "how to decrypt files.txt". The trojan then executes its file encryption payload.

Payload

Encrypts files using a random key
The trojan searches for data files having the following file extensions:

  • .jpg, .jpeg - JPEG picture file
  • .psd - Adobe Photoshop document
  • .cdr - CorelDRAW Image file
  • .dwg - AutoCAD Drawing Database file
  • .max - 3D modeling scene file
  • .mov - movie file
  • .m2v - MPEG-2 movie file
  • .3gp - 3G (mobile device) audio/video file
  • .doc, .docx - document file
  • .xls, .xlsx - spreadsheet file
  • .ppt, .pptx - Microsoft PowerPoint slideshow
  • .rar, .zip - archive container file
  • .mdb - Microsoft Access database
  • .mp3 - audio file
  • .cer - Internet Security Certificate file
  • .p12 - Personal Information Exchange/SSL certificate file
  • .pfx - Personal Information Exchange/PKCS certificate file
  • .kwm, .pwm - WebMoney secret key file, personal key file
  • .txt - text file
  • .pdf - Portable document format file (commonly Adobe document file)
  • .avi - audio/video file
  • .flv - flash video file
  • .lnk - link/shortcut file
  • .bmp - Bitmap image file
  • .1cd - CD image file
  • .md - compressed file archive
  • .mdf - ISO CD image file
  • .dbf - dBase database
  • .odt - Open Document text file
  • .vob - DVD video object file
  • .ifo - DVD video disc information file
  • .mpeg, .mpg - MPEG video file
For each file found, the trojan encrypts the file using a random cipher key. Displays "ransom note"The trojan displays a message using Notepad that requests money in exchange for decrypting files. The text file content are as follows: Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): datafinder @ fastmail.fm The trojan also creates a Bitmap image in the Temporary files folder (%TEMP%\.bmp) and displays the image:

Analysis by Tim Liu & Shawn WangSymptoms

System changes

The following system changes may indicate the presence of this malware:
  • The modification of common data files having any of the following file extensions:
    .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, .xlsx
  • The display of the following message requesting for money in exchange for a decryption key:

Last update 24 May 2014

 

TOP

Malware :

Family: