Trojan.GenericKD.3016333

Threat description

Details

Category: Malware
Type: Trojan
Platform: W32

Summary

Trojan.GenericKD.3016333 is ransomware that encrypts files stored on the affected device and demands payment of a ransom.



Removal

Manual Removal

Caution: Manual removal is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

  • Remove the malware's autorun keys:
    • Open Regedit and locate: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • Remove entries pointing to the malicious file (C:\Windows\<8_random_alphannumeric>.exe), for example "C:\Windows\epiwuzot.exe"
  • Restart the system; the malware should no longer launch on startup
  • Delete the malicious file from the %WINDOWS% folder (C:\Windows\<8_random_alphannumeric>.exe). It should be the only file with an ".exe" file type and a PDF file icon
  • Remove the other component files:
    • %programdata%\<16_random_letters>\02000000
    • %programdata%\<16_random_letters>\01000000
    • %appdata%\<16_random_letters>\01000000
    • %appdata%\<16_random_letters>\01000000
  • Restart the system


Technical Details

This malware is distributed via a spam email message that pretends to be a notification from either the POSTNORD or AUPOST postal services (POSTNORD caters to Denmark and Sweden, while AUPOST deals with delivery in Australia). The text content of the message is typically about lost or undelivered packages and the email includes a contain ZIP file attachment that is the actual ransomware file. Malicious links in the email text content reportedly could also lead the user into downloading the ransomware file.

The ZIP file attachment most commonly uses the filenames "postnord_info_59278.exe", "bolletta_36135.exe", and "AUPOST_info_23884.exe". The attachment contains an executable program that uses a PDF file icon; this is a common technique used by malware authors to trick users into thinking that the file is a document rather than an executable program.

Ransomware executable file disguised as a PDF document

If the camouflaged executable file is run, it injects inject malicious code into the "explorer.exe" processes. It moves the ransomware file to %WINDOWS% and renames it as <8_random_alphanumeric_characters>.exe.

It then removes other copies in %LOCAL_APPDATA%\temp\ and encrypts the user's files. It also drops a text file containing the following ransom demand, as well as instructions for payment:

===============================================================================
!!! Vi har krypterat dina filer med Crypt0L0cker virus !!!
===============================================================================
Dina viktiga filer (inklusive de på nätverksdiskar, USB, etc): bilder, videor,
var dokument krypteras med vår Crypt0L0cker virus. Det enda sättet att få dina
filer tillbaka är att betala oss. Annars kommer dina filer att gå förlorade.Klicka här för att betala för filer återvinning:

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------[=] Vad har hänt med mina filer?Dina viktiga filer: bilder, video, var dokument krypteras med vår
Crypt0L0cker virus. Detta virus använder mycket stark
krypteringsalgoritm - RSA-2048. Brytning av RSA-2048 krypteringsalgoritm är
omöjlig utan särskild krypteringsnyckel.
[=] Hur kan jag få mina filer tillbaka?Dina filer är nu oanvändbara och oläslig, du kan verifiera det genom att
försöka öppna dem. Det enda sättet att återställa dem till ett normalt
tillstånd är att använda vår speciella dekryptering programvara. Du kan köpa
denna dekryptering programvara på vår hemsida .
[=] Vad ska jag göra härnäst?Du bör besöka vår hemsida 
och köpa dekryptering för din dator.
[=] Jag kan inte komma till din webbp

The malware also uses a domain generation algorithm that based on its network activity; the generated domains are used by the malware to determine the location of its command and control (C&C) server, which it will later try to contact. Generated domains are:

  • nwowapi.ksmvryodp.com
  • akimhsewf.ksmvryodp.com
  • hkyjymubudy.ksmvryodp.com
  • wsyhew.ksmvryodp.com
  • ipokikgzadg.ksmvryodp.com
  • izvli.ksmvryodp.com
  • acujyz.ksmvryodp.com
  • erojibpfi.rygzatyee.com
  • aqyn.rygzatyee.com
  • ahuby.rygzatyee.com
  • orid.rygzatyee.com
  • eqova.rygzatyee.com
  • eqilufyk.rygzatyee.com
  • afazoriju.rygzatyee.com

The presence of the malware's randomly named file in the %WINDOWS% folder is an indicator of infection; another such indicator is the existence of the ransom note and instructions for payment. The malware also creates the following autorun keys, mutexes and component files, which are also indicators of infection:

  • Autorun keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    <8_random_alphannumeric>="C:\Windows\<8_random_alphannumeric>.exe"
  • Mutexes:
    • \BaseNamedObjects\<31_randoms_letters>
    • \BaseNamedObjects\ihejicyrywonulatupaxafubevuzezu
    • \BaseNamedObjects\imefanafytotehadujulifygicumovo
  • Component files:
    • %programdata%\<16_random_letters>\02000000
    • %programdata%\<16_random_letters>\01000000
    • %appdata%\<16_random_letters>\01000000
    • %appdata%\<16_random_letters>\01000000





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More