Home / malwarePDF  

Trojan.Ransomcrypt.Y


First posted on 06 January 2016.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.Y.

Explanation :

Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\Chrome Browser\chrome%UserProfile%\Application Data\Chrome Browser\chrome.exe%UserProfile%\Application Data\Chrome Browser\ffmpegsumo.dll%UserProfile%\Application Data\Chrome Browser\g%UserProfile%\Application Data\Chrome Browser\icudtl.dat%UserProfile%\Application Data\Chrome Browser\locales%UserProfile%\Application Data\Chrome Browser\msgbox.vbs%UserProfile%\Application Data\Chrome Browser\n.l%UserProfile%\Application Data\Chrome Browser\n.q%UserProfile%\Application Data\Chrome Browser\nw.pak%UserProfile%\Application Data\Chrome Browser\rundll32.exe%UserProfile%\Application Data\Chrome Browser\s.exe%UserProfile%\Application Data\Chrome Browser\u.vbs%UserProfile%\Local Settings\Temp\nw[FOUR RANDOM DIGITS]_[FIVE RANDOM DIGITS]\binary.bin%UserProfile%\Local Settings\Temp\nw[FOUR RANDOM DIGITS]_[FIVE RANDOM DIGITS]\icon.png %UserProfile%\Local Settings\Temp\nw[FOUR RANDOM DIGITS]_[FIVE RANDOM DIGITS]\index.html%UserProfile%\Local Settings\Temp\nw[FOUR RANDOM DIGITS]_[FIVE RANDOM DIGITS]\node_modules%UserProfile%\Local Settings\Temp\nw[FOUR RANDOM DIGITS]_[FIVE RANDOM DIGITS]\package.json
The Trojan may create the following shortcut so that it runs every time Windows starts:
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ChromeService.lnk
The Trojan then encrypts files with the following extensions:
.3dm .3g2 .3gp .aaf .accdb .aep .aepx .aet .ai .aif .as .as3 .asf .asp .asx .avi .bmp .c .class .cpp .cs .csv .dat .db .dbf .doc .docb .docm .docx .dot .dotm .dotx .dwg .dxf .efx .eps .fla .flv .gif .h .idml .iff .indb .indd .indl .indt .inx .jar .java .jpeg .jpg .m3u .m3u8 .m4u .max .mdb .mid .mov .mp3 .mp4 .mpa .mpeg .mpg .msg .pdb .pdf .php .plb .pmd .png .pot .potm .potx .ppam .ppj .pps .ppsm .ppsx .ppt .pptm .pptx .prel .prproj .ps .psd .ra .raw .rb .rtf .sdf .ses .sldm .sldx .sql .svg .swf .tif .txt .vcf .vob .wav .wma .wmv .wpd .wps .xla .xlam .xll .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xqx .xqx
It also encrypts files that contain any of the following strings either as their extensions or at the start or end of their extensions:
savspvgrlemlxsv5gameslot
The Trojan does not encrypt files in the following locations:
%Windir%%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs %Temp%[PATH TO FOLDER]\winnt[PATH TO FOLDER]\boot[PATH TO FOLDER]\tmp[PATH TO FOLDER]\$recycle.bin
The Trojan then displays a ransom note demanding payment for the files to be decrypted.

Last update 06 January 2016

 

TOP