Home / malwarePDF  

Trojan.Ransomcrypt.M


First posted on 12 July 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.M.

Explanation :

The Trojan arrives as an email attachment.

When the Trojan is executed, it creates the following files:
%SystemDrive%\tmp\iuoepdjjfi%SystemDrive%\tmp\capcha%SystemDrive%\tmp\Rar.exe%SystemDrive%\tmp\bmrsa.exe%SystemDrive%\tmp\shpka.msk%SystemDrive%\tmp\z.exe%SystemDrive%\tmp\moar.exe%SystemDrive%\tmp\x.bat%SystemDrive%\tmp\par.cmd%SystemDrive%\tmp\rsa.bat%SystemDrive%\tmp\pgmttc.exe%SystemDrive%\tmp\hello.bat%SystemDrive%\tmp\hello.exe%SystemDrive%\tmp\rurim.exe%SystemDrive%\tmp\public.txt%SystemDrive%\tmp\drivers.cmd%SystemDrive%\tmp\rsa.000
The Trojan packs all files with the following extensions into a password protected RAR:
.jpg.JPG.jpeg.JPEG.doc.DOC.docx.DOCX.txt.TXT.pdf.PDF.tif.TIF.dbf.DBF.eps.EPS.psd.PSD.cdr.CDR.mbd.MBD.dxb.xml.XML.xls.XLS.xls.xXLSX.dwg.DWG.mdf.MDF.mdb.MDB.zip.ZIP.rar.RAR.cdx.CDX.wps.WPS.rtf.RTF.1CD.1cd.4db.4dd.adp.ADP.XLD.wdb.str.STR.pdm.PDM.ppt.crw.dxg.ptx.odp.PEK.sps.SPS.pst.raf.pdd.mdf.srw.raw
Note: The password is encrypted with RSA.

The Trojan creates the following text file in every folder it encrypted a file in:


Note: The file is in Russian and contains the encrypted password. It also asks that 10,000 rubles in bitcoins be sent to a specific bitcoin wallet address.

Last update 12 July 2014

 

TOP