Ransomware_f6d6319008

by malwarelabrobot on October 24th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Win32/DH{IH0iIwMPHicT} (AVG)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: f6d63190089664f276b65a7c3baf8aa0
SHA1: 13a5f9d836dcc6516d66d9cbadc1f1f5739501c2
SHA256: f393638c0186e362ec090e7b1c33057609cfa7dddcbe7401e6a0dffd7069d4cd
SSDeep: 384:Gw1btwn2VO3kA1w93t0Fic44MizEJKW1b:nUU2I3yFitn7Jl
Size: 18432 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2013-10-06 23:58:33


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Ransom. Disables the compromised computer or restricts access to certain data so that the victim can no longer use it. The victim is expected to send payment to the hijacker to restore access to the blocked data or re-enable the system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Reader_sl.exe:1064
wuauclt.exe:344
IE11Update.exe:1616
IE11Update.exe:868
jusched.exe:1056
f6d63190089664f276b65a7c3baf8aa0.exe:452

File activity

The process wuauclt.exe:344 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process IE11Update.exe:1616 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\system (4897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\N.jpg (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\L.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7.jpg (714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.jpg (727 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (4512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9.jpg (730 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\M.jpg (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8.jpg (722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.jpg (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.jpg (730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.jpg (724 bytes)
%System%\config (288 bytes)
%System%\config\SYSTEM.LOG (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0.jpg (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\K.jpg (3544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6.jpg (722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.jpg (752 bytes)

The process IE11Update.exe:868 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%System%\config (288 bytes)
%System%\config\system (1590 bytes)
%System%\config\SYSTEM.LOG (3745 bytes)

The process jusched.exe:1056 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

The process f6d63190089664f276b65a7c3baf8aa0.exe:452 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\IE11Update.exe (18 bytes)

Registry activity

The process Reader_sl.exe:1064 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process IE11Update.exe:1616 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 A7 92 B7 79 6F 02 73 B9 05 56 3D 5E 2F 3A B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*IE11Update" = "%Documents and Settings%\%current user%\Desktop\IE11Update.exe"

The process IE11Update.exe:868 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 A3 96 87 9B 3C 5E 19 A7 C7 7C BE 3A C3 8E EC"

The process f6d63190089664f276b65a7c3baf8aa0.exe:452 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Screenshot


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wuauclt.exe:344
    IE11Update.exe:1616
    IE11Update.exe:868
    f6d63190089664f276b65a7c3baf8aa0.exe:452

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %System%\config\system (4897 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\N.jpg (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\L.jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7.jpg (714 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5.jpg (727 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (4512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9.jpg (730 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\M.jpg (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8.jpg (722 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3.jpg (718 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.jpg (730 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2.jpg (724 bytes)
    %System%\config\SYSTEM.LOG (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0.jpg (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\K.jpg (3544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6.jpg (722 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4.jpg (752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
    %Documents and Settings%\%current user%\Desktop\IE11Update.exe (18 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "*IE11Update" = "%Documents and Settings%\%current user%\Desktop\IE11Update.exe"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.