Home / malwarePDF  

Worm:MSIL/Crilock.A


First posted on 18 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:MSIL/Crilock.A.

Explanation :

Threat behavior

Installation

This threat drops itself as msunet.exe in .

It creates the following registry entry so that it automatically runs every time Windows starts:

In subkeys: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value = "Userinit"
With data = "\userinit.exe,,\msunet.exe"

In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value = "MSUpdate"
With data = "\msunet.exe"

In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value = "*MSUpdateData"
With data: "\msunet.exe"

Spreads via...

Removable drives

It drops copies of itself in all removable drives with the name setup.exe. It might also overwrite any EXE file found in these removable drives.

Payload

Changes Autorun settings

This threat changes the Autorun/Autoplay feature for removable USB and CD/DVD drives to a default value:

In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: "145"

Encrypts files

This threat goes through your PC and encrypts the following file types using a unique public key with RSA-4096. It then asks you to pay to receive the private key and retrieve your files. It asks you to pay using Bitcoin within a 72-hour period.

  • 3fr
  • accdb
  • ai
  • arw
  • bay
  • cdr
  • cer
  • cr2
  • crt
  • crw
  • dbf
  • dcr
  • der
  • dng
  • doc
  • docm
  • docx
  • dwg
  • dxf
  • dxg
  • eps
  • erf
  • indd
  • jpe
  • jpg
  • kdc
  • mdb
  • mdf
  • mef
  • mp3
  • mp4
  • mrw
  • nef
  • nrw
  • odb
  • odm
  • odp
  • ods
  • odt
  • orf
  • p12
  • p7b
  • p7c
  • pdd
  • pef
  • pem
  • pfx
  • ppt
  • pptm
  • pptx
  • psd
  • pst
  • ptx
  • r3d
  • raf
  • raw
  • rtf
  • rwl
  • srf
  • srw
  • txt
  • wb2
  • wpd
  • wps
  • xlk
  • xls
  • xlsb
  • xlsm
  • xlsx


It avoids encrypting files in these folders:

  • :\windows
  • :\program files
  • :\programdata
  • :\$windows
  • :\$recycle.bin\
  • \appdata\
  • \application data\


Send and receive commands

As of this writing, this threat connects to these servers to receive commands and send information about your PC:

  • strathmorej.byethost3.com
  • strathmorej.coolpage.biz


It can receive these commands:

  • Update itself
  • Disable shutting down your PC
  • Run a denial of service (DoS) attack against a given system
  • Get information about your PC




Analysis by Marianne Mallen

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these file:
    • \msunet.exe
  • You see these entries or keys in your registry:

    In subkeys: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value = "Userinit"
    With data = "\userinit.exe,,\msunet.exe"

    In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value = "MSUpdate"
    With data = "\msunet.exe"

    In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce andHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value = "*MSUpdateData"
    With data: "\msunet.exe"

  • You can't open files and you're asked to pay a ransom to retrieve them

Last update 18 January 2014

 

TOP

Malware :

Family: