SecurityHome.eu Ransom:Win32/Teerac

Home / malware PDF

Ransom:Win32/Teerac

First posted on 19 April 2019.
Source: Microsoft
Aliases :
There are no other names known for Ransom:Win32/Teerac.
Explanation :
Installation

Ransom:Win32/Teerac can be downloaded by other malware, such as TrojanDownloader:O97M/Donoff. It can also arrive on your PC as a spam email attachment using a file name such as:

fatura.exe Parcel_Information.exe track_.exe

When run, it can inject itself to valid system processes and drop a copy of itself in %windir% or with a random name. For example:

ovijhbij.exe %windir% yjyricb.exe

It can also install other files onto your PC that can be used by the malware as reference startup points. We have seen it use the following format:

0000000...02000000, for example c:programdataumevenupasyxuxof0000000 ...02000000

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "", for example "yjyricb"
With data: "%windir%.exe", for example "%windir%yjyricb.exe" In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "", for example "uziviqow"
With data: ".exe", for example "ovijhbij.exe" The malware can also modify other registry entries as part of its installation, for example: In subkey: HKCUSoftwareBit Torrent ApplicationConfiguration
Sets value: "01000000"
With data: "%windir%.exe", for example "%windir%epabaleq.exe" In subkey: HKCUSoftware, for exampe HKCUSoftwareahawomuxevoporop
Sets value: "01000000"
With data: "", for example "m.." Payload

Encrypts your files

Ransom:Win32/Teerac can encrypt files on your PC that have the following extensions.

avi bmp ico inf gif mp3 png txt wav xml

It adds ".encrypted" to the extension names of the encrypted files, for example sample.avi.encrypted.

The malware avoids encrypting these file extensions and file paths:

bat chm cmd dll exe ini log lnk msi scr sys tmp

Shows you a ransom screen

Once your files are encrypted Ransom:Win32/Teerac shows you the following ransom screens demanding payment to give you back access to your files.

Early versions used the following message:

More recent variants use this updated message:

The malware can also delete shadow files from your PC to prevent you from restoring it from local backup.

Connects to a remote server

We have seen some variants of this family connecting to the following domains:

cangrybirds493.ru lagosadventures.com ryptdomain.dp.ua systemdriverupdate.ru 239.255.255.250

Analysis by Marianne Mallen

Last update 19 April 2019

TOP

Malware :

Last 20