|
Description:
To get a one-glance comprehensive view of the behavior of this spyware, refer to the Behavior Diagram shown below.
Spyware Overview
This spyware may arrive as a dropped or downloaded file of other malware. It may also be downloaded from the Internet.
It encrypts files with certain extensions in all available drives of the affected system. Encrypted files contain a certain string which indicates that the file has already been encrypted.
It then creates a text file, which it drops on all affected folders. The contents of the said text file are as follows:
Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: %s and provide us
your personal code %d. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
Note that %s refers to any one of four predefined email addresses, while %d refers to the encryption code.
This spyware also downloads a component file that may lower Internet Security Zone settings. This routine allows access to malicious Web sites, which may contain more malicious files. Thus, the affected system is open to more threats.
Furthermore, it gathers information, such as user names and passwords from the affected system. It also terminates itself once it finds certain security-related processes running in memory. This spyware implements an encryption routine with similarities to RC4 encryption.
|
Save & Share
