TROJ_RANSOM.IQN

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Profile%\Application Data\{GUID}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\{GUID}
• Global\{GUID}

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CryptoLocker = "%User Profile%\Application Data\{GUID}.exe"

Other Details

This Trojan encrypts files with the following extensions:

• .accdb
• .arw
• .bay
• .cdr
• .cer
• .crt
• .crw
• .dbf
• .dcr
• .der
• .dng
• .doc
• .docm
• .docx
• .dwg
• .dxf
• .dxg
• .eps
• .erf
• .indd
• .jpe
• .jpg
• .kdc
• .mdb
• .mdf
• .mef
• .mrw
• .nef
• .nrw
• .odb
• .odc
• .odm
• .odp
• .ods
• .odt
• .orf
• .pdd
• .pef
• .pem
• .pfx
• .ppt
• .pptm
• .pptx
• .psd
• .pst
• .ptx
• .raf
• .raw
• .rtf
• .rwl
• .srf
• .srw
• .wpd
• .wps
• .xlk
• .xls
• .xlsb
• .xlsm
• .xlsx

It deletes itself after execution.

NOTES:

This Trojan It demands users to pay a fine via any of the following payment methods:

• Bitcoin
• cashU
• MoneyPak
• paysafecard
• Ukash

It displays the following ransom messages:

Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files...

To obtain the private key for this computer, which will automatically decrypt files, you need to pay %AMOUNT_USD% USD / %AMOUNT_EUR% EUR / similar amount in another currency.

Click «Next» to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.

Below is the list of amount and corresponding currency that it uses for ransom:

• 100 USD
• 100 EUR
• 200 ARS
• 100 CAD
• 150 CHF
• 2000 CZK
• 1000 DKK
• 100 GBP
• 500 HRK
• 25000 HUF
• 50 LVL
• 1000 MXN
• 1000 NOK
• 300 PLN
• 300 RON
• 1000 SEK
• 100 TRY
• 100 AUD
• 200 BRL
• 1500 NOK
• 200 NZD
• 500 PLN
• 200 RON
• 1500 SEK
• 1 BTC

It connects to certain websites to send information:

• http://{Random Characters}.com
• http://{Random Characters}.net
• http://{Random Characters}.biz
• http://{Random Characters}.org
• http://{Random Characters}.co.uk
• http://{Random Characters}.info

This Trojan encrypts files using a complex encryption routine. This prevents users from restoring the encrypted files.