|
Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware.
It searches and encrypts files with certain extension names found on any readable and writable drives.
As a result, the said files become unreadable. It then drops and opens a .VBS file which informs the user that the files have been encrypted, and that special software must be purchased to decrypt the files. It displays the following message box:
The given address which the affected user should email to acquire the decryptor is a random email address.
After encryption, it changes the filename of the encrypted file by adding ._CRYPT extension. For example, if the original filename is DOCUMENT.TXT, it becomes DOCUMENT.TXT._CRYPT.
This Trojan also drops the file !_READ_ME_!.txt in all folders that has encrypted files. The said file contains the following strings:
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: {random email address}
=== BEGIN ===
AD7D6889
010200000168000000A40000820DED85CE76DF0C
294BD589846FE980F9C95BA62F98567FD87C5AB3
E6D61329E2EB9EB56677F4C39E05BD478E399F0C
18AF91368B98E41889CE2225F73878A54200A458
FADE0BDE53F727D15762614C9C5F80398ABD7C6C
E5A373C17056489B10BDCACE044B695E3527115E
BD2A154BD136C023ACC40F2A104E4D93B1323C0C
=== END ===
================
For additional information about this threat, see:
Solution
Technical Details
Description created: Jun. 8, 2008 5:13:45 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
