Home / malware Trojan.Ransomcrypt.W
First posted on 22 December 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.W.
Explanation :
Once executed, the Trojan creates the following files:
%Windir%\directx.exe%Windir%\YOUR_FILES.url
The Trojan creates the following registry entries so that it runs every time Windows startes:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"svchost" = "%Windir%\directx.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"svchost" = "%Windir%\directx.exe"
The Trojan also creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\[RANDOM LETTERS]\"[RANDOM LETTERS]" = "[ENCODED DOMAIN INFORMATION]"
Note: [ENCODED DOMAIN INFORMATION] is an encoded list of command and control (C&C) server domains the threat may contact.
Next, the Trojan checks internet connectivity on the compromised computer by attempting to connect to the following legitimate domain:
checkip.dyndns.org
If internet connectivity is available, the Trojan will connect to one or more of the following remote C&C servers:crazytrevor.comcrazytrevor.in23.249.162.151
The Trojan then send the following information to the C&C server:
Operating system versionList of drives
Next, the Trojan deletes any Windows shadow copies on the compromised computer and encrypts files with the following extensions:
.doc.docx.jpg.png.ppt.pptx.txt.gif.html.zip.xls.xlsx.pdf.rar.avi.rtf.tif.wav
Note: The extensions listed here are a small sample. The list of extensions is downloaded from the C&C server and is extensive.
The Trojan adds the following file extension to all files it encrypts:
.rdm
The Trojan then creates the following shortcut on the compromised computer's desktop:
%Windir%\YOUR_FILES.url
The shortcut opens a web page with a ransom note demanding payment in order to decrypt the files on the compromised computer.Last update 22 December 2015