Content

MayArchive

Type
Trojan
SubType
Win32
Discovery Date
05/19/2006
Length
Minimum DAT
4766 (05/19/2006)
Updated DAT
4766 (05/19/2006)
Minimum Engine
5.1.00
Description Added
05/19/2006
Description Modified
05/22/2006 10:05 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When run, this trojan create the following registry entries to associate itself with the ".als" extension that it uses for its encrypted files.

  • HKEY_CLASSES_ROOT\.als
  • HKEY_CLASSES_ROOT\ALS\DefaultIcon
    "\%Userprofile%\Desktop\file1.exe,0"
  • HKEY_CLASSES_ROOT\ALS\shell\open\command
    "\%Userprofile%\Desktop\file1.exe\" %1

Scans for files using the following extensions, copies these files its own archive named "EncryptedFiles.als" and deletes the original files.

arh
asm
arj
bas
cdr
cgi
chm
cpp
db
db1
db2
dbf
dbt
dbx
doc
dpr
dsw
frm
frt
frx
gtd
gz
gzip
jpg
key
kwm
lst
man
mdb
mmf
mo
old
p12
pas
pak
pdf
pgp
pl
pwl
pwm
rar
rtf
safe
tar
txt
xls
xml
zip

Creates the following files:

  • c:\EncryptedFiles.als  --> Archive created from scanning the entire hard drive
  • \%Userprofile%\My Documents\Demo.als  --> Demo file showing how to get back encrypted files
  • \%Userprofile%\My Documents\EncryptedFiles.als --> Archive from files in the My Documents folder.
  • \%Userprofile%\My Documents\INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt --> RansomNote



When a user opens the archive, it lists the files that it contains, and prompts for a password.





Instructions for obtaining the password to the archive is contained in a ransom note.

INSTRUCTIONS HOW TO GET YOUR FILES BACK
READ CAREFULLY

This is automated report generated by auto archiving software.

All your documents, text files and databases was archived
with the long password.

You can not guess the password for your archived files - password
length is more than 30 symbols that makes all password recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).

Do not try to search for a program that encrypted your information - it
simply does not exist in your hard disk anymore.
System backup will not help you to restore files.
Reporting to police about a case will not help you, they do not know the
password. Reporting somewhere about our email account will not help
you to restore files. Moreover, you and other people will lose contact
with us, and consequently, all the encrypted information.

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you.
You can even EARN extra money with us.
If you really care about the documents and information in encrypted files,
you should send an email to restoring@safe-mail.net or restoringfiles@yahoo.com
This is your only way to get your files back and save your time.

We do not want to do you any harm, we do not ask you for money, we only
want to do business with you.


##########################################################################
Remember you are just one step away from your files
##########################################################################

The password for the files, stored by the trojan in the EncryptedFiles.als archive is "AssociateFileExtension".

Please note that due to a bug in the trojan's code, some of the files may become corrupted after being restored.




Symptoms

  • Presence of aforementioned encrypted files "Demo.als" and "EncryptedFiles.als".
  • Presence of aforementioned "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" ransom note.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

MayArchive is a trojan that scans the hard drive of an infected machine for certain file types, copies these files to its own encrypted archive and deletes the original files. It then issues a ransom demand in an attempt to extort money from the victim, in order for them to obtain the password to recover the encrypted files.

The author decided to use the following password stored in clear text within the trojan body.

"AssociateFileExtension"

Because this string often appears inside projects compiled with Visual Basic, the author figured anyone who found the trojan and examined its strings looking for the password, would simply overlook it.

Aliases

  • MayArchive.B (F-Secure)
  • TROJ_MYARC.A (Trend Micro)
  • Trojan.Win32.MayArchive.b (Kaspersky)
  • W32/Archiveus.A (F-Prot)

Characteristics

Characteristics -

When run, this trojan create the following registry entries to associate itself with the ".als" extension that it uses for its encrypted files.

  • HKEY_CLASSES_ROOT\.als
  • HKEY_CLASSES_ROOT\ALS\DefaultIcon
    "\%Userprofile%\Desktop\file1.exe,0"
  • HKEY_CLASSES_ROOT\ALS\shell\open\command
    "\%Userprofile%\Desktop\file1.exe\" %1

Scans for files using the following extensions, copies these files its own archive named "EncryptedFiles.als" and deletes the original files.

arh
asm
arj
bas
cdr
cgi
chm
cpp
db
db1
db2
dbf
dbt
dbx
doc
dpr
dsw
frm
frt
frx
gtd
gz
gzip
jpg
key
kwm
lst
man
mdb
mmf
mo
old
p12
pas
pak
pdf
pgp
pl
pwl
pwm
rar
rtf
safe
tar
txt
xls
xml
zip

Creates the following files:

  • c:\EncryptedFiles.als  --> Archive created from scanning the entire hard drive
  • \%Userprofile%\My Documents\Demo.als  --> Demo file showing how to get back encrypted files
  • \%Userprofile%\My Documents\EncryptedFiles.als --> Archive from files in the My Documents folder.
  • \%Userprofile%\My Documents\INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt --> RansomNote



When a user opens the archive, it lists the files that it contains, and prompts for a password.





Instructions for obtaining the password to the archive is contained in a ransom note.

INSTRUCTIONS HOW TO GET YOUR FILES BACK
READ CAREFULLY

This is automated report generated by auto archiving software.

All your documents, text files and databases was archived
with the long password.

You can not guess the password for your archived files - password
length is more than 30 symbols that makes all password recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).

Do not try to search for a program that encrypted your information - it
simply does not exist in your hard disk anymore.
System backup will not help you to restore files.
Reporting to police about a case will not help you, they do not know the
password. Reporting somewhere about our email account will not help
you to restore files. Moreover, you and other people will lose contact
with us, and consequently, all the encrypted information.

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you.
You can even EARN extra money with us.
If you really care about the documents and information in encrypted files,
you should send an email to restoring@safe-mail.net or restoringfiles@yahoo.com
This is your only way to get your files back and save your time.

We do not want to do you any harm, we do not ask you for money, we only
want to do business with you.


##########################################################################
Remember you are just one step away from your files
##########################################################################

The password for the files, stored by the trojan in the EncryptedFiles.als archive is "AssociateFileExtension".

Please note that due to a bug in the trojan's code, some of the files may become corrupted after being restored.




Symptoms

Symptoms -

  • Presence of aforementioned encrypted files "Demo.als" and "EncryptedFiles.als".
  • Presence of aforementioned "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" ransom note.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A