F-Secure
Tools
Trojan:W32/Fixer
| Name : | Trojan:W32/Fixer |
| Detection Names : |
Trojan-Ransom.Win32.Fixer.a Trojan.Generic.1582276 |
| Category: | Malware |
| Type: | Trojan |
| Platform: | W32 |
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Additional Details
Trojan:W32/Fixer is a malicious program that demands a ransom from the user by encrypting and disabling documents and media files. The only way to decrypt the files is by purchasing a program being offered by the malware author(s). As such, this malware is a type of Ransomware.
The details below apply to the Trojan:W32/Fixer.A variant.
Installation
The trojan's main component is a DLL that is dropped to:
This DLL is injected into almost all running processes. It is not injected into some executables, including:
It adds a launchpoint in the registry as below:
It creates these registries probably as infection markers:
Activity
Once installed, the DLL encrypts files with the following extensions to disable them :
Any newly created files on the system that use one of the extensions listed above are also encrypted.
When user tries to open the encrypted files a screen like below is shown:
It also shows a popup like below at the bottom right corner on the system tray :
The only way for users to fix the so-called corrupted files is to purchase the FileFixPro program. If the "repair file" option is selected, user will be directed to this site:
The downloaded program is a scanner that will show a screen like below:
The details below apply to the Trojan:W32/Fixer.A variant.
Installation
The trojan's main component is a DLL that is dropped to:
• %system%\fpfstb.dll
This DLL is injected into almost all running processes. It is not injected into some executables, including:
• smss.exe
• csrss.exe
• winlogon.exe
It adds a launchpoint in the registry as below:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = "%system%\fpfstb.dll"
AppInit_DLLs = "%system%\fpfstb.dll"
It creates these registries probably as infection markers:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard
is_installed = [random string]
is_installed = [random string]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard
id = [random string]
id = [random string]
Activity
Once installed, the DLL encrypts files with the following extensions to disable them :
• ppsm
• ppsx
• ppam
• potm
• potx
• pptm
• pptx
• xlam
• xlsb
• xltm
• xltx
• xlsm
• xlsx
• dotm
• dotx
• docm
• docx
• pst
• mdb
• wma
• mp3
• png
• jpeg
• jpg
• pdf
• ppt
• xls
• doc
Any newly created files on the system that use one of the extensions listed above are also encrypted.
When user tries to open the encrypted files a screen like below is shown:
It also shows a popup like below at the bottom right corner on the system tray :
The only way for users to fix the so-called corrupted files is to purchase the FileFixPro program. If the "repair file" option is selected, user will be directed to this site:
• http://www.filefixpro.com/[...]/download.php
The downloaded program is a scanner that will show a screen like below: