Home / malware Ransom:Win32/Cendode.A
First posted on 13 January 2015.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Cendode.A.
Explanation :
Threat behavior
Installation
This malware installs a copy of itself to %APPDATA%\sundevpackupdate\, for example %APPDATA%\sundevpackupdate\miql1.exe.
It also creates the following files:
- %APPDATA% \sundevpackupdate\buyunlockcode.txt
- %APPDATA% \sundevpackupdate\
.txt, for example %APPDATA%\sundevpackupdate\Dkv264475.txt - %APPDATA%\sundevpackupdate\
.txt.zip, for example %APPDATA%\sundevpackupdate\Dkv264475.txt.zip - %APPDATA% \sundevpackupdate\pbinfoset.sww
- %APPDATA% \sundevpackupdate\wallpp.bmp
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: SunDevUpdate
With data: ""
In subkey: HKCU\Software\SunDevUpdate
Set value: oldex
With data:""
Payload
Encrypts your files
This threat can encrypt your files and rename them with the extension .enc0ded!, for example:
This malware does not require network communication to encrypt files.
It can encrypt the following file types:
.7z
.accdb
.ai
.arw
.bpg
.cdr
.cdx
.cer
.cr2
.crt
.crw
.css
.dbf
.dbt
.dbx
.der
.dng
.doc
.docm
.docx
.dwg
.dxf
.dxg
.eps
.indd
.jpeg
.jpg
.js
.kdc
.key
.mdb
.mde
.mdf
.mef
.mrw
.nef
.nrw
.odb
.odc
.odm
.odp
.ods
.odt
.orf
.p12
.p7b
.p7c
.pab
.pdd
.pem
.pfx
.pgp
.php
.pps
.ppt
.pptm
.pptx
.psd
.pst .ptb
.qba
.qbb
.qbm
.qbw
.r3d
.raf
.rar
.rtf
.rw2
.rwl
.sql
.srf
.srw
.tar
.text
.txt
.vbp
.vsd
.wb2
.wpd
.wps
.xl
.xlc
.xlk
.xls
.xlsb
.xlsm
.xlsx
.xsf
.zip
Once your files are encrypted this threat displays the following .txt file asking you to send the malicious hacker an email to get further payment instructions:
Once the infection is complete it changes your desktop wallpaper to read "All important files were encoded with RSA-1024 encryption algorithm. The only way to restore them - purchase the unique unlock code. See BUYUNLOCKCODE.txt on your hard drive for more information", as shown below:
Analysis by Carmen Liang
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- pbinfoset.sww
- buyunlockcode.txt
- wallpp.bmp
.txt .txt.zip
- You see these entries or keys in your registry:
- In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunDevUpdate
""
- In subkey: HKCU\Software\SunDevUpdate
oldex
With data:"< malware file name>"
- You see these messages on your desktop:
Last update 13 January 2015