McAfee > Theat Center > Virus Detail Page

Overview

-- Update March 26, 2009 --

Ransom-F is a Trojan that searches and encrypts files of specific types. To restores these files, the victim is requested to download and install demo version of FileFix which is supposedly to be a file repair application. FileFix scans and lists all encrypted files however victim need to register the application by purchasing license key.

-- Update March 25, 2009 --

McAfee Avert Labs has received limited reports of a false detection affecting temporary files created by the X1 Enterprise Search application. This issue will be resolved in the 5565 DATs (releasing March 26, 2009).

Affected customers can obtain a fix (EXTRA.DAT) here.

The following workaround is also available.

Workaround:

1) Configure an exclusion for the X1 Server temporary directories within McAfee VirusScan Enterprise.

The directories to exclude are:

• C:\Documents and Settings\\Local Settings\Temp\X1Server (Windows XP)
• C:\Users\\Local\Temp\X1Server (Windows Vista)

Characteristics

Ransom-F initially comes as a DLL component that gets injected into explorer.exe and many other processes.

It creates the following registry entry as its autostart mechanism:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = "DLL path and filename"

It adds the following registry key as a flag that indicates that the system is infected.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard
is_installed = [random data]

This Trojan searches for files in My Documents Folder containing the following filename extensions and encrypts it:

• ppsm
• ppam
• potx
• pptx
• ppsx
• potm
• pptm
• xlam
• xltm
• xlsm
• dotm
• docm
• xlsb
• xltx
• xlsx
• dotx
• docx
• pst
• mdb
• wma
• mp3
• png
• jpeg
• jpg
• pdf
• ppt
• xls
• doc

It then injects its code to almost all running processes including explorer.exe.

Also when the victim tries to open a file with extension mentioned above, it also encrypts the file and displays error message:

Thus victim won't be able to open the said file. Once the user click the "Repair" button, this Trojan will connect to the following site and download its component "FileFix Professional 2009":

• hxxp://filefixpro.com/public/download.php

The following files are added by FileFix(also detected as Ransom-F):

• %ProgramFiles%\FileFix Professional 2009\unins000.dat
• %ProgramFiles%\FileFix Professional 2009\unins000.exe
• %ProgramFiles%\FileFix Professional 2009\wizard.exe - detected as Ransom-F
• %ProgramFiles%\FileFix Professional 2009\wizard.url
• C:\Documents and Settings\All Users\Start Menu\Programs\FileFix Professional 2009\FileFix Professional 2009 on the Web.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\FileFix Professional 2009\FileFix Professional 2009.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\FileFix Professional 2009\Uninstall FileFix Professional 2009.lnk

Where %ProgramFiles% is usually C:\Program Files

The following registries are added:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard\advanced

• wizard_installed = "1"
• wizard_path = "%ProgramFiles%\FileFix Professional 2009\wizard.exe"
  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\FileFix Professional 2009_is1

• DisplayName = "FileFix Professional 2009"
• HelpLink = "http://filefixpro.com"
• Inno Setup: App Path = "%ProgramFiles%\FileFix Professional 2009"
• Inno Setup: Deselected Tasks = ""
• Inno Setup: Icon Group = "FileFix Professional 2009"
• Inno Setup: Selected Tasks = "desktopicon,quicklaunchicon"
• Inno Setup: Setup Version = "5.1.7"
• Inno Setup: User = "{User name}"
• InstallLocation = "%ProgramFiles%\FileFix Professional 2009"
• NoModify = "1"
• NoRepair = "1"
• Publisher = "DataHelper Inc."
• QuietUninstallString = "%ProgramFiles%\FileFix Professional 2009\unins000.exe" /SILENT"
• UninstallString = "%ProgramFiles%\FileFix Professional 2009\unins000.exe"
• URLInfoAbout = "http://filefixpro.com"
• URLUpdateInfo = http://filefixpro.com"

Once FileFix is executed on the system, it will scan all encrypted files and show them as corrupted.

The victim needs to purchase license key to be able to fix all corrupted files.

This Trojan also displays the following fake error indicating that some files in the system are corrupted:

Symptoms

• The presence of files and registry entry indicated previously
• Display of the mentioned Error messages

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update March 26, 2009 --

Ransom-F is a Trojan that searches and encrypts files of specific types. To restores these files, the victim is requested to download and install demo version of FileFix which is supposedly to be a file repair application. FileFix scans and lists all encrypted files however victim need to register the application by purchasing license key.

-- Update March 25, 2009 --

McAfee Avert Labs has received limited reports of a false detection affecting temporary files created by the X1 Enterprise Search application. This issue will be resolved in the 5565 DATs (releasing March 26, 2009).

Affected customers can obtain a fix (EXTRA.DAT) here.

The following workaround is also available.

Workaround:

1) Configure an exclusion for the X1 Server temporary directories within McAfee VirusScan Enterprise.

The directories to exclude are:

• C:\Documents and Settings\\Local Settings\Temp\X1Server (Windows XP)
• C:\Users\\Local\Temp\X1Server (Windows Vista)

Characteristics

Characteristics -

Ransom-F initially comes as a DLL component that gets injected into explorer.exe and many other processes.

It creates the following registry entry as its autostart mechanism:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = "DLL path and filename"

It adds the following registry key as a flag that indicates that the system is infected.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard
is_installed = [random data]

This Trojan searches for files in My Documents Folder containing the following filename extensions and encrypts it:

• ppsm
• ppam
• potx
• pptx
• ppsx
• potm
• pptm
• xlam
• xltm
• xlsm
• dotm
• docm
• xlsb
• xltx
• xlsx
• dotx
• docx
• pst
• mdb
• wma
• mp3
• png
• jpeg
• jpg
• pdf
• ppt
• xls
• doc

It then injects its code to almost all running processes including explorer.exe.

Also when the victim tries to open a file with extension mentioned above, it also encrypts the file and displays error message:

Thus victim won't be able to open the said file. Once the user click the "Repair" button, this Trojan will connect to the following site and download its component "FileFix Professional 2009":

• hxxp://filefixpro.com/public/download.php

The following files are added by FileFix(also detected as Ransom-F):

• %ProgramFiles%\FileFix Professional 2009\unins000.dat
• %ProgramFiles%\FileFix Professional 2009\unins000.exe
• %ProgramFiles%\FileFix Professional 2009\wizard.exe - detected as Ransom-F
• %ProgramFiles%\FileFix Professional 2009\wizard.url
• C:\Documents and Settings\All Users\Start Menu\Programs\FileFix Professional 2009\FileFix Professional 2009 on the Web.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\FileFix Professional 2009\FileFix Professional 2009.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\FileFix Professional 2009\Uninstall FileFix Professional 2009.lnk

Where %ProgramFiles% is usually C:\Program Files

The following registries are added:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard\advanced

• wizard_installed = "1"
• wizard_path = "%ProgramFiles%\FileFix Professional 2009\wizard.exe"
  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\FileFix Professional 2009_is1

• DisplayName = "FileFix Professional 2009"
• HelpLink = "http://filefixpro.com"
• Inno Setup: App Path = "%ProgramFiles%\FileFix Professional 2009"
• Inno Setup: Deselected Tasks = ""
• Inno Setup: Icon Group = "FileFix Professional 2009"
• Inno Setup: Selected Tasks = "desktopicon,quicklaunchicon"
• Inno Setup: Setup Version = "5.1.7"
• Inno Setup: User = "{User name}"
• InstallLocation = "%ProgramFiles%\FileFix Professional 2009"
• NoModify = "1"
• NoRepair = "1"
• Publisher = "DataHelper Inc."
• QuietUninstallString = "%ProgramFiles%\FileFix Professional 2009\unins000.exe" /SILENT"
• UninstallString = "%ProgramFiles%\FileFix Professional 2009\unins000.exe"
• URLInfoAbout = "http://filefixpro.com"
• URLUpdateInfo = http://filefixpro.com"

Once FileFix is executed on the system, it will scan all encrypted files and show them as corrupted.

The victim needs to purchase license key to be able to fix all corrupted files.

This Trojan also displays the following fake error indicating that some files in the system are corrupted:

Symptoms

Symptoms -

• The presence of files and registry entry indicated previously
• Display of the mentioned Error messages

Method of Infection

Method of Infection -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A