McAfee > Theat Center > Virus Detail Page

Overview

--

Ransom-M is a Trojan on execution encrypts all the files of these formats i.e .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc.The user has to get the decryption key inorder to recover the files by paying a specified amount to the attacker.

Aliases

• Trj/Ransom.K(Panda)

• Troj/Gpcode-E(Sophos)

• Trojan-Ransom.Win32.Xorist.a(Kaspersky)

• Trojan:W32/Randsom.G(F-Secure)

Characteristics

Upon execution Trojan Ransom-M changes the wallpaper of the desktop with the following wallpaper as shown below:

The wallpaper contains a message informing the user that the system is infected with Lorobot and to recover the files the user has to email to the specified email address mentioned in the wallpaper and pay 100$ to the attacker inorder to obtain the decryption file.

Trojan then encrypts all the files in the user's system which are of the following file formats .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc .After modifying all the files a text pop up appears as shown below:

The Trojan adds the following files:

C:\xxxx.txt
C:\WINDOWS\CryptLogFile.txt
C:\Documents and Settings\<USERNAME>\Local Settings\Temp\wallpaper.bmp

CryptLogFile.txt contains the list of modified files in the system by the Trojan as below:

C:\Adobe Reader 9 Installer\Folder.jpg
C:\Tools\API Monitor.rar
C:\Tools\Dede\DSF\DeDe_SDK.rtf
C:\WINDOWS\SHELLNEW\EXCEL12.XLSX
C:\Program Files\Windows Media Player\npdrmv2.zip
C:\Documents and Settings\All Users\Application Data\SiteAdvisor\guid.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Internet Explorer\brndlog.txt
C:\Documents and Settings\<USERNAME>\Cookies\<USERNAME>@atdmt[1].txt
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\<USERNAME>\Templates\winword.doc
C:\Documents and Settings\<USERNAME>\Templates\excel.xls

Symptoms

• Presence of the above mentioned characteristics.
• Presence of the above mentioned files

Method of Infection

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update October 28, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/security/?p=4748

--

Ransom-M is a Trojan on execution encrypts all the files of these formats i.e .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc.The user has to get the decryption key inorder to recover the files by paying a specified amount to the attacker.

Aliases

• Trj/Ransom.K(Panda)

• Troj/Gpcode-E(Sophos)

• Trojan-Ransom.Win32.Xorist.a(Kaspersky)

• Trojan:W32/Randsom.G(F-Secure)

Characteristics

Characteristics -

Upon execution Trojan Ransom-M changes the wallpaper of the desktop with the following wallpaper as shown below:

The wallpaper contains a message informing the user that the system is infected with Lorobot and to recover the files the user has to email to the specified email address mentioned in the wallpaper and pay 100$ to the attacker inorder to obtain the decryption file.

Trojan then encrypts all the files in the user's system which are of the following file formats .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc .After modifying all the files a text pop up appears as shown below:

The Trojan adds the following files:

C:\xxxx.txt
C:\WINDOWS\CryptLogFile.txt
C:\Documents and Settings\<USERNAME>\Local Settings\Temp\wallpaper.bmp

CryptLogFile.txt contains the list of modified files in the system by the Trojan as below:

C:\Adobe Reader 9 Installer\Folder.jpg
C:\Tools\API Monitor.rar
C:\Tools\Dede\DSF\DeDe_SDK.rtf
C:\WINDOWS\SHELLNEW\EXCEL12.XLSX
C:\Program Files\Windows Media Player\npdrmv2.zip
C:\Documents and Settings\All Users\Application Data\SiteAdvisor\guid.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Internet Explorer\brndlog.txt
C:\Documents and Settings\<USERNAME>\Cookies\<USERNAME>@atdmt[1].txt
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\<USERNAME>\Templates\winword.doc
C:\Documents and Settings\<USERNAME>\Templates\excel.xls

Symptoms

Symptoms -

• Presence of the above mentioned characteristics.
• Presence of the above mentioned files

Method of Infection

Method of Infection -

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A