Home / malwarePDF  

Trojan:Win32/Sofilblock.A


First posted on 06 October 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Sofilblock.A is also known as Trojan-PSW.Win32.Tepfer.baav (Kaspersky), Trojan.Gimemo!2pLolMFxvIo (VirusBuster), Trojan.PWS.Ftpharv.26 (Dr.Web), Trojan-Ransom.Win32.Gimemo (Ikarus).

Explanation :



Trojan:Win32/Sofilblock.A is ransomware that encrypts your files and asks for payment in order to decrypt the files. It may also lock the user's desktop and display an image supposedly from the authorities in an attempt to coerce you into paying.



Installation

When run, Trojan:Win32/Sofilblock.A copies itself as the following file:

%AppData%\sopaps.exe

It also creates the following registry entry so that it runs every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ChpPrintUpdate"
With data: "%AppData%\sopaps.exe"

It may also create the following files, which may contain the encrypted key that can decrypt your files:

  • %AppData%\filesop.txt.block
  • %AppData%\ok.txt.block


Payload

Connects to certain servers

Trojan:Win32/Sofilblock.A may connect to certain servers to generate the encryption key:

  • 78.47.4.76
  • 176.9.237.54


Encrypts files

Using the encryption key, Trojan:Win32/Sofilblock.A encrypts all files in your computer with any of the following extensions:

  • abw
  • arj
  • asm
  • bpg
  • cdr
  • cdt
  • cdx
  • cer
  • chm
  • css
  • dbf
  • dbt
  • dbx
  • dfm
  • djv
  • djvu
  • doc
  • docm
  • docx
  • dpk
  • dpr
  • frm
  • gz
  • gzip
  • htm
  • html
  • jpg
  • js
  • key
  • lzh
  • lzo
  • mdb
  • mde
  • odc
  • pab
  • pas
  • pdf
  • pgp
  • php
  • pps
  • ppt
  • pst
  • rtf
  • sql
  • text
  • txt
  • vbp
  • vsd
  • wri
  • xfm
  • xl
  • xlc
  • xlk
  • xls
  • xlsm
  • xlsx
  • xlw
  • xsf
  • xsn


The encrypted files are renamed as "<old file name>.<old extension>.block", for example, "C:\Samplefile.txt" to "C:\Samplefile.txt.block".

In every folder with at least one encrypted file, it drops the file "warning.txt", which contains the following text:



Locks your computer

When executed, Trojan:Win32/Sofilblock.A poses as a legitimate institution and coerces the users to pay a fee. It prevents you from accessing your desktop, and replaces your screen with an image similar to the following:



Terminates processes

To prevent you from terminating its process, Trojan:Win32/Sofilblock.A terminates the processes "taskmgr.exe" and "regedit.exe" if either are run.



Analysis by Edgardo Diaz

Last update 06 October 2012

 

TOP

Malware :

Family: