TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_RANSOM.FD
Overview
Solution
Technical Details

File type: EXE

Memory resident:  Yes

Size of malware: 131,072 Bytes

Initial samples received on: Jun 23, 2009

Details:

Arrival Details and Installation

This worm may be downloaded from remote site(s) by other malware.

It may be dropped by other malware.

It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It drops the following copy(ies) of itself:

  • %System%\kkk.exe
  • %System%\recovery.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following file(s)/component(s), which may possibly be malicious:

  • %System%\RansomWar.txt - non-malicious file

Autostart Techniques and Other System Modifications

This worm creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Recovery Console = "%System%\recovery.exe"

It creates the following registry key(s)/entry(ies):

HKEY_CURRENT_USER\Identities\
{0C0763B6-7496-4D73-AF61-F747E5CEBA0A}\
Software\Microsoft\Outlook Express\
5.0\Mail
Warn on Mapi Send = "0"

Propagation via Email

This worm uses Messaging Application Protocol Interface (MAPI) to send email messages with a copy of itself as attachment. The email messages it sends out bear the following details:

SUBJECT:
You are a very lucky man, read this mail!

BODY:
Hi, you won a big amount of money!!! If you want to know more look at the attachment!

ATTACHMENT:
BigCashForYou.exe

It gathers target email addresses from cached email messages, address books, and mail boxes.

Other Details

This worm creates the following mutex(es) to ensure that only one instance of itself is running in memory:

  • RansomWar_EOF

Upon execution, it searches for and encrypts files found on fixed drives. It avoids encrypting files with the following extensions:

  • .dll
  • .drv
  • .exe
  • .ini
  • .rwg
  • .vxd

As a result, the said files become unreadable. It then opens the file %System%\RansomWar.txt. The said file contains the following strings:

Dear user,
some of your files have been encrypted using a quite strong system.
Now you are scared but I will not ask you for money.
If you want to get back your files you can do following:
1) Contact a good antivirus-company that will decrypt them for you
2) You can send an email to back9001@yahoo.com requesting a decryptor program
3) You can launch your PC trought the window or use a better OS (like linux) :)

RansomWar by [WarGame,#eof]

After encryption, it changes the filename of the encrypted file by adding .RWG extension. For example, if the original filename is DOCUMENT.TXT, it becomes DOCUMENT.TXT.RWG.

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, Server 2003.

Analysis By: Kathleen Mae Notario


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.