Ransom.Win32.MIRCOP.AA

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

It encrypts files found in specific folders.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\888.vbs → starts migwiz.exe and sets registry
• %User Temp%\32.cab → used for extraction of %System%\migwiz (for 32-bit system)
• %User Temp%\64.cab → used for extraction of %System%\migwiz (for 64-bit system)
• %User Temp%\8x8x8 → marker if encryption is successful
• %User Temp%\wl.jpg → used as wallpaper
• %User Temp%\x.exe → copy of itself

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• Microsoft Update.lnk

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

It changes the desktop wallpaper by modifying the following registry entries:

HKCU\Control Panel\Desktop
Wallpaper = %User Temp%\wl.jpg

It sets the system's desktop wallpaper to the following image:

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• chrome.exe
• firefox.exe
• iexplore.exe
• opera.exe
• tor.exe
• skype.exe

Web Browser Home Page and Search Page Modification

This Ransomware modifies the Internet Explorer Zone Settings.

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• %Desktop%
• %Application Data%
• %AppDataLocal%
• %User Profile%\Music
• %User Profile%\Pictures
• %User Profile%\Videos
• %User Profile%\Documents
• %System Root%\Users\Public\Documents
• %System Root%\Users\Public\Pictures
• %System Root%\Users\Public\Videos
• {Root of hard disk drives}

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It renames encrypted files using the following names:

• Lock.{file name}.{file extension}

NOTES: