Home / malwarePDF  

Trojan.Ransomcrypt.Z


First posted on 13 January 2016.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.Z.

Explanation :

When executed, the Trojan displays a fake error dialog box.



Next, the Trojan creates the following files:
%UserProfile%\Desktop\ATTENTION.RTF%UserProfile%\Desktop\Decryptor.lnk%UserProfile%\Application Data\lansrv.exe%UserProfile%\Application Data\lansrv.ini
The Trojan then creates the following registry entry, so that it is executed every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"LanmanServer" = "%UserProfile%\Application Data\lansrv.exe"

The Trojan then encrypts files with the following extensions:
3dm 3g2 3gp aaf accdb aep aepx aet ai aif arw as as3 asf asp asx avi bay bmp cdr cer class cpp cr2 crt crw cs csv db dbf dcr der dng doc docb docm docx dot dotm dotx dwg dxf dxg efx eps erf fla flv idml iff indb indd indl indt inx jar java jpeg jpg kdc m3u m3u8 m4u max mdb mdf mef mid mov mp3 mp4 mpa mpeg mpg mrw msg nef nrw odb odc odm odp ods odt orf p12 p7b p7c pdb pdf pef pem pfx php plb pmd pot potm potx ppam ppj pps ppsm ppsx ppt pptm pptx prel prprojps psd pst ptx r3d ra raf rar raw rb rtf rw2 rwl sdf sldm sldx sql sr2 srf srw svg swf tif vcf vob wav wb2 wma wmv wpd wps x3f xla xlam xlk xll xlm xls xlsb xlsm xlsx xlt xltm xltx xlw xml xqx zip
It also encrypts files that contain any of the following strings either as their extensions or at the start or end of their extensions:
game
grlemlx sav slotspv sv5
The Trojan registers the infection by sending ICMP packets to the following IP address:
52.91.55.122

The Trojan then displays a ransom note demanding payment for the files to be decrypted.

Last update 13 January 2016

 

TOP