Skip to main content

Trojan:W32/NomadSnore

Classification

Category:Malware
Type:Trojan
Platform:W32
Aliases:

Trojan:W32/NomadSnore.A, Trojan:W32/NomadSnore.B, Ransom32

Summary

Trojan:W32/NomadSnore is ransomware that encrypts files stored on the affected machine, then demands payment of a ransom in order to decrypt the files. It is notable for being the first ransomware to be written entirely in JavaScript.

Removal

    A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

    • Check for the latest database updates

      First check if your F-Secure security program is using the latest updates, then try scanning the file again.

    • Submit a sample

      After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

      Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

    • Exclude a file from further scanning

      If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

      Note: You need administrative rights to change the settings.

    Technical Details

    Trojan:W32/NomadSnore is distributed as an auto-extracting WINRAR archive file that uses the extension ".scr". When launched, the contents of the NomadSnore archive file are unpacked by a WINRAR script into the %temp% folder.

    During the unpacking, the WINRAR script also sets a value to allow one of the archive file components (misleadingly labelled 'chrome.exe') to run after extraction. This component is actually a JavaScript application (NW.js, previously known as node-webkit) that contains the malicious ransomware code and is able to independently run it. The use of JavaScript in this manner potentially allows NomadSnore to run not just on the Windows operating system, but also on Linux or MacOS X.

    Once the ransomware code is run, it searches for and encrypts files of various file types (e.g. *.jpeg, *.doc. *.mp4 etc.) on the affected machine using AES-128 encryption, with CTR as block mode. It then displays an image on the desktop containing a ransom demand (payable in Bitcoins) in return for the decryption key needed to restore the affected files.

    More Support

    Community

    Ask questions in our Community.

    User guides

    Check the user guide for instructions.

    Contact Support

    Chat with with or call an agent.

    Submit a Sample

    Submit a file or URL for analysis.