McAfee > Theat Center > Virus Detail Page

Overview

Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data.

Characteristics

Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data.

This trojan can often arrive in a spoofed e-mail notifying the user of a "important events" or "great deals" such as the following:

This e-mail spoofs as the mail administrator notifying the user of a "system upgrade", requesting the user to open the attachmen to prevent the account from being terminated.

More recently, websites were discovered to be hosting Exploit-MS06-014 that installs Ransom-C without a need for user interaction on vulnerable web browsers. They include legitimate financial news, medical websites, etc. that were believed to have been penetrated by the trojan author. When the exploit is successful, it follows to download and install a abc.exe.pif executable containing Ransom-C.

In some cases, a.RAR file which resembles the file attachments used in the spoofed e-mails are placed on a spoofed hyperlink on the penetrated website. For example, the hyperlink could be displaying a description of "Directions to the XYZ Hospital" but lets the user download a .RAR containing the Ransom-C trojan:

Upon execution, Ransom-C makes a copy of itself in the Start-Programs->Startup menu as svchost.exe as well as X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe.  

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)

It then displays the following pop-up window:

This pop-up window claims that unlicensed software was detected and have been moved to a restricted folder. To unlock these files, the user must send an e-mail to webmas[hidden]@yahoo.com.cn to purchase the "licensed" software.

NOTE:  Our analysis shows that the files are not moved but effectively deleted from the infected computer including mounted drives on external media (e.g. memory cards, hard drives). This implies a reliable method to fully recover the files would be unlikely.

Ransom-C drops a text file on the desktop reiterating its claims and reboots the system each time the pop-up window is closed.

Symptoms

Presence and/or modification of the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\"svchost.exe" = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe" (hooks to the opening of text files)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden

Presence of the following file(s):

• X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe (Ransom-C)
• "X:\Documents and Settings\%User%\Start Menu\Startup\svchost.exe (Ransom-C)

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)

Display of the pop up windows depicted in "Characteristics".

Method of Infection

Ransom-C has been known to be propagated via spoofed e-mails with attachments, browsing upon hacked websites hosting spoofed hyperlinks and/or Exploit-MS06-14.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Instead of encrypting or moving files from the victim's machine, Ransom-C effectively deletes them. A reliable method to fully recover the files is unlikely. Due to the design of the Windows file system. Disk segments marked deleted can be overwritten by new data.

Data deleted by Ransom-C should be restored from backup.

Variants

Variants

N/A

All Information

Overview -

Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data.

Characteristics

Characteristics -

Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data.

This trojan can often arrive in a spoofed e-mail notifying the user of a "important events" or "great deals" such as the following:

This e-mail spoofs as the mail administrator notifying the user of a "system upgrade", requesting the user to open the attachmen to prevent the account from being terminated.

More recently, websites were discovered to be hosting Exploit-MS06-014 that installs Ransom-C without a need for user interaction on vulnerable web browsers. They include legitimate financial news, medical websites, etc. that were believed to have been penetrated by the trojan author. When the exploit is successful, it follows to download and install a abc.exe.pif executable containing Ransom-C.

In some cases, a.RAR file which resembles the file attachments used in the spoofed e-mails are placed on a spoofed hyperlink on the penetrated website. For example, the hyperlink could be displaying a description of "Directions to the XYZ Hospital" but lets the user download a .RAR containing the Ransom-C trojan:

Upon execution, Ransom-C makes a copy of itself in the Start-Programs->Startup menu as svchost.exe as well as X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe.  

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)

It then displays the following pop-up window:

This pop-up window claims that unlicensed software was detected and have been moved to a restricted folder. To unlock these files, the user must send an e-mail to webmas[hidden]@yahoo.com.cn to purchase the "licensed" software.

NOTE:  Our analysis shows that the files are not moved but effectively deleted from the infected computer including mounted drives on external media (e.g. memory cards, hard drives). This implies a reliable method to fully recover the files would be unlikely.

Ransom-C drops a text file on the desktop reiterating its claims and reboots the system each time the pop-up window is closed.

Symptoms

Symptoms -

Presence and/or modification of the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\"svchost.exe" = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe" (hooks to the opening of text files)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden

Presence of the following file(s):

• X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe (Ransom-C)
• "X:\Documents and Settings\%User%\Start Menu\Startup\svchost.exe (Ransom-C)

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)

Display of the pop up windows depicted in "Characteristics".

Method of Infection

Method of Infection -

Ransom-C has been known to be propagated via spoofed e-mails with attachments, browsing upon hacked websites hosting spoofed hyperlinks and/or Exploit-MS06-14.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Instead of encrypting or moving files from the victim's machine, Ransom-C effectively deletes them. A reliable method to fully recover the files is unlikely. Due to the design of the Windows file system. Disk segments marked deleted can be overwritten by new data.

Data deleted by Ransom-C should be restored from backup.

Variants

Variants -

N/A