Home / malwarePDF  

Ransom:Win32/Genasom.EJ


First posted on 24 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Genasom.EJ.

Explanation :

Threat behavior

Trojan:Win32/Ransom.EJ is a member of the Trojan:Win32/Ransom family - a family of trojans that seizes control of the computer in which it is installed. This trojan prevents user access to websites by covering the web browser with a certain image. The image covering the webpage contains instructions for the user to send an SMS to a premium number in order to remove the image and unlock the web browser.

Installation

Upon execution, Trojan:Win32/Ransom.EJ may drop a copy of itself as the following:

  • %AppData%\mozilla\firefox\firefox.exe
  • %AppData%\google\chrome\chrome.exe
  • %AppData%\microsoft\dllhsts.exe
  • %AppData%\identities\\svghost.exe


It also creates the following registry entries so that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "Firefox helper"
With data: %AppData%\mozilla\firefox\firefox.exe

Sets value: "Chrome"
With data: %AppData%\google\chrome\chrome.exe

Sets value:
With data: %AppData%\identities\\svghost.exe

Sets value:
With data: %AppData%\microsoft\dllhsts.exe

As part of its clean-up routine, it creates the following files to remove/delete its copy after it has run:

  • %Temp%\unlnk.bat
  • %Temp%\r.bat
  • %Temp%\clean.bat


Payload

Contacts remote hosts

Trojan:Win32/Ransom.EJ contacts the following remote hosts, that are not affiliated with Microsoft:

  • security0301-microsoftcom/index.php
  • security-3761-microsoftcom/index.php
  • security-9976-microsoftcom/index.php
  • security-3405-microsoftcom/index.php
  • security-2374-microsoftcom/index.php
  • security-4809-microsoftcom/index.php
  • feyana.jino.ru


The trojan receives information from the above websites about what ransom message to display to affected users.

Additional information

Trojan:Win32/Ransom.EJ creates the following mutexes to ensure that only one copy of the malware is running on the infected computer at any one time:

  • CHROME-HLP-< eight random alphanumeric characters >
  • SAF_{< random CLSID >}
  • msInternetExplorer-< six random alphanumeric characters >




Analysis by Zarestel Ferrer

Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    %AppData%\google\chrome\chrome.exe
    %AppData%\identities\\svghost.exe
    %AppData%\microsoft\dllhsts.exe
    %AppData%\mozilla\firefox\firefox.exe
    %Temp%\clean.bat
    %Temp%\r.bat
    %Temp%\unlnk.bat

  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
    Sets value: "Firefox helper"
    With data: %AppData%\mozilla\firefox\firefox.exe

    Sets value: "Chrome"
    With data: %AppData%\google\chrome\chrome.exe

    Sets value:
    With data: %AppData%\identities\\svghost.exe

    Sets value:
    With data: %AppData%\microsoft\dllhsts.exe

Last update 24 May 2014

 

TOP

Malware :

Family: