Malware that infects executable files on victim computer and ask to pay ransom in BTC.
Each infected executable is overwritted by copy of malware with saved icon of original executable. Massive executables infecting gives this malware ability to survive removal and re-infect PC.
Runs via
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alters Windows Explorer settings:
1) file extensions -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2) hidden files -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Turn off UAC -> reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Monitors user activity -> blocks execution of several programs by looking for specific windows titles/classnames, including malware process names.
The following names are identified:
1) Windows Task Manager
2) Run
3) Open
4) malware process names (thus preventing to view process properties for example)
5) RegEdit_RegEdit
Capable of infecting removal drives.
Example of infected file -> https://www.virustotal.com/en/file/113c ... /analysis/ (used gmer found on infected computer)
One of the VT reports for sample in archive
https://www.virustotal.com/en/file/4183 ... /analysis/
Dont be confused by high VT detection ratio - the only 4 products here correctly detect this malware.
Each infected executable is overwritted by copy of malware with saved icon of original executable. Massive executables infecting gives this malware ability to survive removal and re-infect PC.
Runs via
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alters Windows Explorer settings:
1) file extensions -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2) hidden files -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Turn off UAC -> reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Monitors user activity -> blocks execution of several programs by looking for specific windows titles/classnames, including malware process names.
The following names are identified:
1) Windows Task Manager
2) Run
3) Open
4) malware process names (thus preventing to view process properties for example)
5) RegEdit_RegEdit
Capable of infecting removal drives.
Example of infected file -> https://www.virustotal.com/en/file/113c ... /analysis/ (used gmer found on infected computer)
One of the VT reports for sample in archive
https://www.virustotal.com/en/file/4183 ... /analysis/
Dont be confused by high VT detection ratio - the only 4 products here correctly detect this malware.
Attachments
pass: infected
(941.28 KiB) Downloaded 180 times
(941.28 KiB) Downloaded 180 times
Ring0 - the source of inspiration
