Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Trojan.Encoder.3953

Added to the Dr.Web virus database: 2016-02-17

Virus description added:

SHA1

  • fd131f8d61b57954a5906483baf43c92d76a80e7
  • a07a1660ebd71bff4b640665208d2ade51791e69
  • d0a05ad76a8eec9a4fce36e9cf5d446d7ddaae3f
  • 583bbf424a7114586dd48fe57be999cbd750ba56

A ransomware Trojan for Windows. At least 4 of its modifications employ different encryption procedures, and 4 of its versions implement different schemes of file naming. Presumably, the Trojan is created by the authors of Trojan.Encoder.741 and Trojan.Encoder.2667.

Once encrypted, files are appended with a suffix containing an email address and an extension. The Trojan is known to append files with the following extensions:

  • *.xtbl
  • *.CrySiS

Cybercriminals leave the following email addresses:

  • dalailama2015@protonmail.ch
  • Vegclass@aol.com
  • a_princ@aol.com
  • TREE_OF_LIFE@INDIA.COM
  • redshitline@india.com
  • milarepa.lotos@aol.com
  • Eco_vector@aol.com
  • sub_zero12@aol.com
  • gerkaman@aol.com
  • freetibet@india.com
  • cyber_baba2@aol.com
  • siddhiup2@india.com
  • gruzinrussian@aol.com
  • Ecovector3@aol.com
  • ramachandra7@india.com

The following 4 schemes are used to name encrypted files:

  • *.{email}.ext
  • *.ID*.email.xtbl
  • *.ID*.{email}.xtbl
  • *.id-*.{email}.ext

Version 1

SHA1

  • fd131f8d61b57954a5906483baf43c92d76a80e7

Once launched, the Trojan copies itself to the %windir%\system32 directory, saving its original name. If the attempt is unsuccessful, the Trojan locates its copy in the %localappdata% folder. Then, to ensure its autorun, the malware modifies the HKLM\Software\Microsoft\Windows\CurrentVersion\Run system registry branch (if the attempt fails, the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry branch is modified) and registers its copy with the name of the System Service parameter. To control its relaunching, the Trojan uses a mutex with the following name: Global\snc_%virname%.

Internal state of the random number generator is stored in a 32-byte buffer. This buffer is used to obtain MD5. The result is a RC4 key that encrypts the buffer. The obtained 0x20 bytes represent an encryption key.

Encryption is performed in a separate thread, using the AES-CBC-256 algorithms. Names of encrypted files are appended with *.{email}.ext. A 6-byte marker, 16-byte initialization vector, and 1 byte, which indicates the length of alignment, are added to the end of the file. An encrypted key for file decryption is stored in the following 0x80 bytes. All files are encrypted with the same key. Every file has a unique initialization vector.

Files corrupted by this Trojan can be decrypted.

Version 2

SHA1

  • a07a1660ebd71bff4b640665208d2ade51791e69

The Trojan is packed. The unpacked sample has SHA1 8d2b415f8da004f5da7ac706d418f25072782abe.

While a key is being generated, the buffer information is modified by means of the XOR function. Intermediate data of previous calls for random value generation is used. A unique key is generated for network resources.

It names encrypted files using the *.ID*.email.xtbl or *.ID*.{email}.xtbl scheme.

Information is encrypted with the AES-CBC-256 algorithms.

The Trojan registers itself under the fixed name while modifying the system registry to enable its autorun.

This version has the following scheme of adding data to the end of the file: first, the file name is saved (in Unicode), then a 6-byte marker goes followed by 20 bytes of unknown purpose and 16 bytes of initialization vector. After that, 4 bytes indicating the length of alignment are saved. Then there are 0x80 bytes that contain an encrypted key for file decryption. The last DWORD parameter writes the length of the original file name in bytes. In total, 178 bytes are added to the end of the file.

Files corrupted by this Trojan can be decrypted.

Version 2.5

SHA1

  • d0a05ad76a8eec9a4fce36e9cf5d446d7ddaae3f

The Trojan is packed. The unpacked sample has SHA1 ad68d95b42ef99dab3a87d49aed403a86cd99673.

The operation of random number generator is modified in this version.

The Trojan registers itself in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry branch under a random name.

It names encrypted files using the *.ID*.{email}.xtbl scheme.

The procedure of adding information to the end of a file is the same as for the above-mentioned version.

Files corrupted by this Trojan can be decrypted in some cases.

Version 3

SHA1

  • 583bbf424a7114586dd48fe57be999cbd750ba56

It names encrypted files using the *.id-*.{email}.ext scheme.

Information is encrypted with the AES-CBC-256 algorithms. The initialization vector is unique for every file.

Keys generated by this version have become more tamper-proof.

A decryption key together with random bytes is encrypted with RSA-1024 and is saved at the end of the file.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android