TROJ_RANSOM.USR

September 07, 2013

Modified by: Nikko Tamana

ALIASES:

W32/Filecoder.AY (Fortinet), Trojan-Banker.Win32.Banker (Ikarus), Trojan-Ransom.Win32.Rakhni.g (Kaspersky), Win32/Filecoder.AY trojan (NOD32),

PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

354,816 bytes

File Type:

EXE

Initial Samples Received Date:

25 Apr 2013

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following file(s)/component(s):

%System Root%\msg.exe
%System Root%\КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\.ACCDB
{Default} = "msg"

HKEY_CLASSES_ROOT\.DOCX
{Default} = "msg"

HKEY_CLASSES_ROOT\.XLSX
{Default} = "msg"

HKEY_CLASSES_ROOT\msg\shell\
open\command
{Default} = ""%System Root%\msg.exe" "%1""

HKEY_CLASSES_ROOT\.psd
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.7Z
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.ACCDB
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.DOC
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.DOCX
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.GIF
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.JPG
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.MDB
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.PDF
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.PNG
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.PSD
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.RTF
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.RAR
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.XLS
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.XLSX
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.XML
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
.ZIP
{Default} = "msg"

HKEY_CURRENT_USER\Software\Classes\
msg\shell\open\
command
{Default} = ""%System Root%\msg.exe" "%1""

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\.ACCDB

HKEY_CLASSES_ROOT\.DOCX

HKEY_CLASSES_ROOT\.XLSX

HKEY_CLASSES_ROOT\msg

HKEY_CLASSES_ROOT\msg\shell

HKEY_CLASSES_ROOT\msg\shell\
open

HKEY_CLASSES_ROOT\msg\shell\
open\command

HKEY_CURRENT_USER\Software\Classes\
.7Z

HKEY_CURRENT_USER\Software\Classes\
.ACCDB

HKEY_CURRENT_USER\Software\Classes\
.DOC

HKEY_CURRENT_USER\Software\Classes\
.DOCX

HKEY_CURRENT_USER\Software\Classes\
.GIF

HKEY_CURRENT_USER\Software\Classes\
.JPG

HKEY_CURRENT_USER\Software\Classes\
.MDB

HKEY_CURRENT_USER\Software\Classes\
.PDF

HKEY_CURRENT_USER\Software\Classes\
.PNG

HKEY_CURRENT_USER\Software\Classes\
.PSD

HKEY_CURRENT_USER\Software\Classes\
.RAR

HKEY_CURRENT_USER\Software\Classes\
.RTF

HKEY_CURRENT_USER\Software\Classes\
.XLS

HKEY_CURRENT_USER\Software\Classes\
.XLSX

HKEY_CURRENT_USER\Software\Classes\
.XML

HKEY_CURRENT_USER\Software\Classes\
.ZIP

HKEY_CURRENT_USER\Software\Classes\
msg

HKEY_CURRENT_USER\Software\Classes\
msg\shell

HKEY_CURRENT_USER\Software\Classes\
msg\shell\open

HKEY_CURRENT_USER\Software\Classes\
msg\shell\open\
command

It modifies the following registry entries:

HKEY_CLASSES_ROOT\.7Z
{Default} = "msg"

(Note: The default value data of the said registry entry is "WinRAR".)

HKEY_CLASSES_ROOT\.doc
{Default} = "msg"

(Note: The default value data of the said registry entry is "Word.Document.8".)

HKEY_CLASSES_ROOT\.gif
{Default} = "msg"

(Note: The default value data of the said registry entry is "giffile" .)

HKEY_CLASSES_ROOT\.jpg
{Default} = "msg"

(Note: The default value data of the said registry entry is "jpegfile" .)

HKEY_CLASSES_ROOT\.mdb
{Default} = "msg"

(Note: The default value data of the said registry entry is "Access.Application.11".)

HKEY_CLASSES_ROOT\.pdf
{Default} = "msg"

(Note: The default value data of the said registry entry is "AcroExch.Document".)

HKEY_CLASSES_ROOT\.png
{Default} = "msg"

(Note: The default value data of the said registry entry is "pngfile".)

HKEY_CLASSES_ROOT\.RAR
{Default} = "msg"

(Note: The default value data of the said registry entry is "WinRAR" .)

HKEY_CLASSES_ROOT\.rtf
{Default} = "msg"

(Note: The default value data of the said registry entry is "Word.RTF.8".)

HKEY_CLASSES_ROOT\.xls
{Default} = "msg"

(Note: The default value data of the said registry entry is "Excel.Sheet.8".)

HKEY_CLASSES_ROOT\.xml
{Default} = "msg"

(Note: The default value data of the said registry entry is "xmlfile".)

HKEY_CLASSES_ROOT\.zip
{Default} = "msg"

(Note: The default value data of the said registry entry is "WinRAR.ZIP".)

NOTES:

It encrypts files with the following file extensions:

.7Z
.ACCDB
.DOC
.DOCX
.GIF
.JPG
.MDB
.PDF
.PNG
.PSD
.RAR
.RTF
.XLS
.XLSX
.XML
.ZIP

TROJ_RANSOM.USR

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

TROJ_RANSOM.USR

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific