Home / malwarePDF  

Ransom:Win32/Nymaim.F


First posted on 14 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Nymaim.F.

Explanation :

Threat behavior

Technical information

Ransom:Win32/Nymaim.F belongs to a family of ransomware that includes components that download other malware and lock your PC.

These threats can be installed on your PC when you visit a malicious or hacked website, or when you click on a malicious link in a spam email.

Installation

When run, Ransom:Win32/Nymaim.F is installed to %TEMP%.tmp.

It then creates copies of itself in %APPDATA% and %windir% using random folder and file names, for example:

  • %APPDATA% \bcridky\xslycmi.exe
  • %APPDATA% \ddhvq\hyxgibs.gwx
  • %APPDATA% \hgo\vmaun.exe
  • %APPDATA% \ihxvk\wvnl.jtt
  • %APPDATA% \one\gtqmu.dwx
  • %windir% \oftxftc.rhs


It modifies the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "", for example, "4ld5tr"
With data: "%APPDATA%\.exe", for example, "%APPDATA%\hgo\vmaun.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%APPDATA%\.exe,explorer.exe"

Payload

Injects malicious code into other processes

Ransom:Win32/Nymaim.F injects malicious code into other processes using CreateRemoteThreat and WriteProcessMemory. As a result, an infected machine will have known and trusted processes performing HTTP requests, for example:

  • explorer.exe connecting to afkkcfjjg.biz at TCP port 80
  • explorer.exe connecting to gefesosexwithjimmy.org at TCP port 80
  • explorer.exe connecting to oiksixvj.net at TCP port 80
  • explorer.exe connecting to rvebpzja.net at TCP port 80
  • explorer.exe connecting to ykbjkuu.ru at TCP port 80


It is also likely that more processes perform remote connection activities to access multiple websites in the background.

Locks your PC

Ransom:Win32/Nymaim.F l can lock you PC screen preventing you from using or accessing your files. It can display a webpage from the remote host accessed by the HTTP request. The webpage has a message that tells you your PC is locked and that you must enter your sensitive information or pay money to regain access to your PC.

Additional information

TrojanDownloader:Win32/Nymaim.C may download and install this threat.

We have also seen infected machines with traces of other malware, including:

  • Backdoor:Win32/Vawtrak.A
  • Trojan:Win32/Miuref
  • VirTool:Win32/VBInject.gen!LE


A running process detected as Ransom:Win32/Nymaim.F might look like a legitimate application when inspected by file information, for example:

CompanyName: Faronics Corporation
FileDescription: Deep Freeze service
InternalName: DFServ.exe
LegalCopyright: Copyright Œ 1999-2013 Faronics Corporation
OriginalFilename: DFServEx.exe
ProductName: Deep Freeze

Further reading


Nymaim: Browsing for trouble



Analysis by Methusela Cebrian Ferrer

Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:


    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: "", for example, "4ld5tr"
    With data: "%APPDATA%\.exe", for example, "%APPDATA%\hgo\vmaun.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Shell"
    With data: "%APPDATA%\.exe,explorer.exe"

Last update 14 July 2014

 

TOP

Malware :

Family: