McAfee > Theat Center > Virus Detail Page

Overview

-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/07/your_money_or_your_documents.html

This is a detection for a ransomware trojan.  It encrypts files on the harddrive, creates a text-file indicating what has happened, and gives email addresses to send the ransom money to.

Aliases

• Backdoor:Win32/Kollah.D (Microsoft)

• TSPY_KOLLAH.F (TrendMicro)

• Virus.Win32.Gpcode.ai (Kaspersky)

Characteristics

-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/07/your_money_or_your_documents.html

This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.

When run this trojan searches for files using the following extensions:

• .12m
• .3ds
• .3dx
• .4ge
• .4gl
• .7z
• .a
• .a86
• .abc
• .acd
• .ace
• .act
• .ada
• .adi
• .aex
• .af3
• .afd
• .ag4
• .ai
• .aif
• .aifc
• .aiff
• .ain
• .aio
• .ais
• .akf
• .alv
• .amp
• .ans
• .ap
• .apa
• .apo
• .app
• .arc
• .arh
• .arj
• .arx
• .asc
• .asm
• .ask
• .au
• .bak
• .bas
• .bb
• .bcb
• .bcp
• .bdb
• .bh
• .bib
• .bpr
• .bsa
• .btr
• .bup
• .bwb
• .bz
• .bz2
• .c
• .c86
• .cac
• .cbl
• .cc
• .cdb
• .cdr
• .cgi
• .cmd
• .cnt
• .cob
• .col
• .cpp
• .cpt
• .crp
• .cru
• .csc
• .css
• .csv
• .ctx
• .cvs
• .cwb
• .cwk
• .cxe
• .cxx
• .cyp
• .d
• .db
• .db0
• .db1
• .db2
• .db3
• .db4
• .dba
• .dbb
• .dbc
• .dbd
• .dbe
• .dbf
• .dbk
• .dbm
• .dbo
• .dbq
• .dbt
• .dbx
• .dfm
• .djvu
• .dic
• .dif
• .dm
• .dmd
• .doc
• .dok
• .dot
• .dox
• .dsc
• .dwg
• .dxf
• .dxr
• .eps
• .exp
• .f
• .fas
• .fax
• .fdb
• .fla
• .flb
• .frm
• .fm
• .fox
• .frm
• .frt
• .frx
• .fsl
• .gtd
• .gif
• .gz
• .gzip
• .h
• .ha
• .hh
• .hjt
• .hog
• .hpp
• .htm
• .html
• .htx
• .ice
• .icf
• .inc
• .ish
• .iso
• .jar
• .jad
• .java
• .jpg
• .jpeg
• .js
• .jsp
• .key
• .kwm
• .lst
• .lwp
• .lzh
• .lzs
• .lzw
• .ma
• .mak
• .man
• .maq
• .mar
• .mbx
• .mdb
• .mdf
• .mid
• .mo
• .myd
• .obj
• .old
• .p12
• .pak
• .pas
• .pdf
• .pem
• .pfx
• .php
• .php3
• .php4
• .pgp
• .pkr
• .pl
• .pm3
• .pm4
• .pm5
• .pm6
• .png
• .ppt
• .pps
• .prf
• .prx
• .ps
• .psd
• .pst
• .pw
• .pwa
• .pwl
• .pwm
• .pwp
• .pxl
• .py
• .rar
• .res
• .rle
• .rmr
• .rnd
• .rtf
• .safe
• .sar
• .skr
• .sln
• .swf
• .sql
• .tar
• .tbb
• .tex
• .tga
• .tgz
• .tif
• .tiff
• .txt
• .vb
• .vp
• .wps
• .xcr
• .xls
• .xml
• .zip

Found documents are encoded and a text file named read_me.txt is placed in the directory containing the following text:

Hello,    your   files   are   encrypted   with   RSA-4096   algorithm
(http://en.wikipedia.org/wiki/RSA).
You  will  need  at least few years to decrypt these files without our
software.  All  your  private  information  for  last  3  months  were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To  buy  our software please contact us at: %s and provide us
your  personal code %d. After successful purchase we will send
your  decrypting  tool,  and  your private information will be deleted
from our system.
If  you  will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team

The following registry key is created to run itself at Windows login:

Symptoms

• File types mentioned previously, overwritten with "garbage" (encrypted data).
• Presence of aforementioned read_me.txt files.

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/07/your_money_or_your_documents.html

This is a detection for a ransomware trojan.  It encrypts files on the harddrive, creates a text-file indicating what has happened, and gives email addresses to send the ransom money to.

Aliases

• Backdoor:Win32/Kollah.D (Microsoft)

• TSPY_KOLLAH.F (TrendMicro)

• Virus.Win32.Gpcode.ai (Kaspersky)

Characteristics

Characteristics -

-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/07/your_money_or_your_documents.html

This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.

When run this trojan searches for files using the following extensions:

• .12m
• .3ds
• .3dx
• .4ge
• .4gl
• .7z
• .a
• .a86
• .abc
• .acd
• .ace
• .act
• .ada
• .adi
• .aex
• .af3
• .afd
• .ag4
• .ai
• .aif
• .aifc
• .aiff
• .ain
• .aio
• .ais
• .akf
• .alv
• .amp
• .ans
• .ap
• .apa
• .apo
• .app
• .arc
• .arh
• .arj
• .arx
• .asc
• .asm
• .ask
• .au
• .bak
• .bas
• .bb
• .bcb
• .bcp
• .bdb
• .bh
• .bib
• .bpr
• .bsa
• .btr
• .bup
• .bwb
• .bz
• .bz2
• .c
• .c86
• .cac
• .cbl
• .cc
• .cdb
• .cdr
• .cgi
• .cmd
• .cnt
• .cob
• .col
• .cpp
• .cpt
• .crp
• .cru
• .csc
• .css
• .csv
• .ctx
• .cvs
• .cwb
• .cwk
• .cxe
• .cxx
• .cyp
• .d
• .db
• .db0
• .db1
• .db2
• .db3
• .db4
• .dba
• .dbb
• .dbc
• .dbd
• .dbe
• .dbf
• .dbk
• .dbm
• .dbo
• .dbq
• .dbt
• .dbx
• .dfm
• .djvu
• .dic
• .dif
• .dm
• .dmd
• .doc
• .dok
• .dot
• .dox
• .dsc
• .dwg
• .dxf
• .dxr
• .eps
• .exp
• .f
• .fas
• .fax
• .fdb
• .fla
• .flb
• .frm
• .fm
• .fox
• .frm
• .frt
• .frx
• .fsl
• .gtd
• .gif
• .gz
• .gzip
• .h
• .ha
• .hh
• .hjt
• .hog
• .hpp
• .htm
• .html
• .htx
• .ice
• .icf
• .inc
• .ish
• .iso
• .jar
• .jad
• .java
• .jpg
• .jpeg
• .js
• .jsp
• .key
• .kwm
• .lst
• .lwp
• .lzh
• .lzs
• .lzw
• .ma
• .mak
• .man
• .maq
• .mar
• .mbx
• .mdb
• .mdf
• .mid
• .mo
• .myd
• .obj
• .old
• .p12
• .pak
• .pas
• .pdf
• .pem
• .pfx
• .php
• .php3
• .php4
• .pgp
• .pkr
• .pl
• .pm3
• .pm4
• .pm5
• .pm6
• .png
• .ppt
• .pps
• .prf
• .prx
• .ps
• .psd
• .pst
• .pw
• .pwa
• .pwl
• .pwm
• .pwp
• .pxl
• .py
• .rar
• .res
• .rle
• .rmr
• .rnd
• .rtf
• .safe
• .sar
• .skr
• .sln
• .swf
• .sql
• .tar
• .tbb
• .tex
• .tga
• .tgz
• .tif
• .tiff
• .txt
• .vb
• .vp
• .wps
• .xcr
• .xls
• .xml
• .zip

Found documents are encoded and a text file named read_me.txt is placed in the directory containing the following text:

Hello,    your   files   are   encrypted   with   RSA-4096   algorithm
(http://en.wikipedia.org/wiki/RSA).
You  will  need  at least few years to decrypt these files without our
software.  All  your  private  information  for  last  3  months  were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To  buy  our software please contact us at: %s and provide us
your  personal code %d. After successful purchase we will send
your  decrypting  tool,  and  your private information will be deleted
from our system.
If  you  will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team

The following registry key is created to run itself at Windows login:

Symptoms

Symptoms -

• File types mentioned previously, overwritten with "garbage" (encrypted data).
• Presence of aforementioned read_me.txt files.

Method of Infection

Method of Infection -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A