Home / malware Trojan.Ransomcrypt.AD
First posted on 20 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.AD.
Explanation :
When the Trojan is executed, it creates the following files:
%Temp%\Loader.exe%Temp%\mvpject.exe%Temp%\rackfiles.txt%Temp%\rackinfo.txt
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\mvpdata\"total" = [NUMBER OF COMPROMISED FILES]HKEY_CURRENT_USER\mvpdata\"launches" = [RANDOM NUMBER]HKEY_CURRENT_USER\mvpdata\"done" = [RANDOM NUMBER]HKEY_CURRENT_USER\mvpdata\"day" = [DATE OF CURRENT MONTH]HKCU\Control Panel\Desktop\"Wallpaper" = "%Windir%\Web\Wallpaper\rack.jpg"
The Trojan encrypts files with the following extensions:
.3fr.7z.accdb.ai.apk.arch00.arw.asset.avi.bar.bay.bc6.bc7.big.bik.bkf.bkp.blob.bmp.bsa.cas.cdr.cer.cfr.cpp.cr2.crt.crw.css.csv.d3dbsp.das.dat.dazip.db0.dba.dbf.dcr.der.desc.dmp.dng.doc.docm.docx.dwg.dxg.epk.eps.erf.esm.ff.flv.forge.fos.fpk.fsh.gdb.gho.h.hkdb.hkx.hplg.hpp.hvpl.ibank.icxs.indd.itdb.itl.itm.iwd.iwi.jpe.jpeg.jpg.js.kdb.kdc.kf.layout.lbf.litemod.lrf.ltx.lvl.m2.m3u.m4a.map.mcmeta.mdb.mdbackup.mddata.mdf.mef.menu.mlx.mov.mp3.mp4.mpqge.mrwref.ncf.nrw.ntl.odb.odc.odm.odp.ods.odt.orf.p12.p7b.p7c.pak.pas.pdd.pdf.pef.pem.pfx.pkpass.png.ppt.pptm.pptx.psd.psk.pst.ptx.py.qdf.qic.r3d.raf.rar.raw.rb.re4.rgss3a.rim.rofl.rtf.rw2.rwl.sav.sb.sid.sidd.sidn.sie.sis.slm.snx.sql.sr2.srf.srw.sum.svg.syncdb.t12.t13.tax.tor.txt.upk.vcf.vdf.vfs0.vpk.vpp_pc.vtf.w3x.wallet.wb2.wma.wmo.wmv.wotreplay.wpd.wps.x3f.xf.xlk.xls.xlsb.xlsm.xlsx.xxx.zip.ztmp
The Trojan may append the following extension to any files it encrypts:
.rack
The Threat may display the following ransom message:Last update 20 February 2016
