Home / malware

PDF

Ransom:Win32/Cendode.A

First posted on 13 January 2015.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Cendode.A.

Explanation :

Threat behavior

Installation

This malware installs a copy of itself to %APPDATA%\sundevpackupdate\, for example %APPDATA%\sundevpackupdate\miql1.exe.

It also creates the following files:

• %APPDATA% \sundevpackupdate\buyunlockcode.txt
• %APPDATA% \sundevpackupdate\.txt, for example %APPDATA%\sundevpackupdate\Dkv264475.txt
• %APPDATA%\sundevpackupdate\ .txt.zip, for example %APPDATA%\sundevpackupdate\Dkv264475.txt.zip
• %APPDATA% \sundevpackupdate\pbinfoset.sww
• %APPDATA% \sundevpackupdate\wallpp.bmp

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: SunDevUpdate
With data: ""

In subkey: HKCU\Software\SunDevUpdate
Set value: oldex
With data:""

Payload

Encrypts your files

This threat can encrypt your files and rename them with the extension .enc0ded!, for example:



This malware does not require network communication to encrypt files.

It can encrypt the following file types:



.7z
.accdb
.ai
.arw
.bpg
.cdr
.cdx
.cer
.cr2
.crt
.crw
.css
.dbf
.dbt
.dbx
.der
.dng
.doc
.docm
.docx
.dwg
.dxf
.dxg
.eps
.indd
.jpeg
.jpg
.js
.kdc

.key
.mdb
.mde
.mdf
.mef
.mrw
.nef
.nrw
.odb
.odc
.odm
.odp
.ods
.odt
.orf
.p12
.p7b
.p7c
.pab
.pdd
.pdf
.pem
.pfx
.pgp
.php
.pps
.ppt
.pptm
.pptx
.psd
.pst .ptb
.qba
.qbb
.qbm
.qbw
.r3d
.raf
.rar
.rtf
.rw2
.rwl
.sql
.srf
.srw
.tar
.text
.txt
.vbp
.vsd
.wb2
.wpd
.wps
.xl
.xlc
.xlk
.xls
.xlsb
.xlsm
.xlsx
.xsf
.zip

Once your files are encrypted this threat displays the following .txt file asking you to send the malicious hacker an email to get further payment instructions:



Once the infection is complete it changes your desktop wallpaper to read "All important files were encoded with RSA-1024 encryption algorithm. The only way to restore them - purchase the unique unlock code. See BUYUNLOCKCODE.txt on your hard drive for more information", as shown below:





Analysis by Carmen Liang



Symptoms

The following can indicate that you have this threat on your PC:

• You have these files:
  
  
  • pbinfoset.sww
  • buyunlockcode.txt
  • wallpp.bmp
  • .txt
  • .txt.zip
    
• You see these entries or keys in your registry:
  
• In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  SunDevUpdate
  ""
  
• In subkey: HKCU\Software\SunDevUpdate
  oldex
  With data:"< malware file name>"
  
• You see these messages on your desktop:
  
  
  
  

Last update 13 January 2015

 

TOP