Home / malware Trojan.Phonywall
First posted on 27 November 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Phonywall.
Explanation :
When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\Microsoft\Windows\[RANDOM CHARACTERS].exe%AllUsersProfile%\Application Data\Microsoft\Windows\[RANDOM CHARACTERS].exe
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Type = 0x10HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Start = 2HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\ErrorControl =1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\ImagePath ="%ALL_USERS%\Application Data\Microsoft\Windows\[RANDOM CHARACTERS].exe" -run [PARAMETER]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\DisplayName= "CheckDisk Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Description= "Creates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects errors on the disk."HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_[RANDOM CHARACTERS]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run="%USERAPPDATA%\Microsoft\Windows\[RANDOM CHARACTERS].exe"-run [PARAMETER]
Note: [PARAMETER] is a parameter passed when the original file is executed.
The Trojan overwrite all files with its own data, except for those with the following strings:
*.scr*.exe*.msi*.msu*.dll*.ocx*.ax*.com*.sys*.lnk*.infbootmgrntldrboot.inintuser.*
Note: The Trojan preserves the original file size of the affected files.
The Trojan does not overwrite files in the following folders:
BootWindowsProgram Files*System Volume Information
The Trojan terminates the following processes:
*sql**msdtssrvr**fdlauncher**ReportingServicesService**mad**exchange**w3wp**iis**exfba**store**inet*
The Trojan creates the following file on the desktop of All Users, Default User, and the current user:
DECRYPT_INSTRUCTION.html
The Trojan always uses the following personal code in DECRYPT_INSTRUCTIOn.html:
vRRRbw
The Trojan masquerades as Trojan.Cryptowall, but Cryptowall uses a unique personal code for each compromised computer.Last update 27 November 2015