RANSOM_CRYPTEAR.B

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It gathers certain information on the affected computer.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Profile%\able.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

• %User Temp%\text.txt - contains machine name and encryption key
• %Desktop%\MENSAGEM.txt - ransom note
  

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http://i.imgur.com/{BLOCKED}O.jpg

It saves the files it downloads using the following names:

• %User Profile%\ran.jpg - ransom note
  

Information Theft

This Trojan gathers the following information on the affected computer:

• Machine Name
• User Name

NOTES:

It connects to the following website to send information:

• http://www.{BLOCKED}n.com/hidden-tear/write.php?info={MachineName}-{UserName}%20{Generated Password for decryption}

It encrypts files with the following extensions in the %User Profile% sub folders and appends .locked as the new file extension of the encrypted files:

• .txt
• .doc
• .docx
• .xls
• .xlsx
• .ppt
• .pptx
• .odt
• .jpg
• .png
• .csv
• .sql
• .mdb
• .sln
• .php
• .asp
• .aspx
• .html
• .xml
• .psd