Home / malware Ransom:PowerShell/Polock.A
First posted on 03 June 2015.
Source: MicrosoftAliases :
There are no other names known for Ransom:PowerShell/Polock.A.
Explanation :
Threat behavior
Installation
This threat is a malicious Windows PowerShell script that can be downloaded by TrojanDownloader:PowerShell/Polock.A.
It can create the following files on your PC:
- c:\1\locked.bmp - ransom wallpaper image
- c:\1\reflect.dll - detected as Ransom:Win32/Polock.A!dll
- c:\1\t.dll - detected as Ransom:Win32/Polock.A!dll
- %desktop%\encrypted.htm - list of encrypted files
- %desktop%\qwer.html - ransom html page
- %desktop%\qwer2.html - ransom html page
Payload
Encrypts your files
This threat can search your PC for any files with the following extensions:
- .ai
- .crt
- .csv
- .db
- .doc
- .docm
- .docx
- .dotx
- .gif
- .jpeg
- .jpg
- .lnk
- .mp3
- .msi
- .ods
- .one
- .ost
- .p12
- .pem
- .pps
- .ppsx
- .ppt
- .pptx
- .psd
- .pst
- .pub
- .rar
- .raw
- .rtf
- .tif
- .txt
- .vsdx
- .wma
- .xls
- .xlsm
- .xlsx
- .xml
- .zip
It encrypts any files that it finds and displays the following messages:
Deletes backup files
This threat also tries to stop you from restoring your files from backup. It does this by:
- Deleting shadow files to prevent you from restoring your files from a local backup
- Disabling Startup Repair and Windows Error Recovery on system startup
- Disabling System Restore
Analysis by Jireh Sanico
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- c:\1\locked.bmp - ransom wallpaper image
- c:\1\reflect.dll - detected as Ransom:Win32/Polock.A!dll
- c:\1\t.dll - detected as Ransom:Win32/Polock.A!dll
- %desktop%\encrypted.htm - list of encrypted files
- %desktop%\qwer.html - ransom html page
- %desktop%\qwer2.html - ransom html page
- You see these messages:
Last update 03 June 2015
