Trojan:W32/NomadSnore

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan:W32/NomadSnore.A, Trojan:W32/NomadSnore.B, Ransom32

Summary

Trojan:W32/NomadSnore is ransomware that encrypts files stored on the affected machine, then demands payment of a ransom in order to decrypt the files. It is notable for being the first ransomware to be written entirely in JavaScript.

Removal

  • In the %temp% folder, delete all folders with names similar to: nw[4 digit number]_[5 digit number].
  • In the %appdata% folder, delete all folders with the name "Chrome Browser".
  • In the Startup folder, delete the "ChromeService" shortcut.
  • Run a full system scan with your F-Secure security product to repair any remaining files.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:W32/NomadSnore is distributed as an auto-extracting WINRAR archive file that uses the extension ".scr". When launched, the contents of the NomadSnore archive file are unpacked by a WINRAR script into the %temp% folder.

During the unpacking, the WINRAR script also sets a value to allow one of the archive file components (misleadingly labelled 'chrome.exe') to run after extraction. This component is actually a JavaScript application (NW.js, previously known as node-webkit) that contains the malicious ransomware code and is able to independently run it. The use of JavaScript in this manner potentially allows NomadSnore to run not just on the Windows operating system, but also on Linux or MacOS X.

Once the ransomware code is run, it searches for and encrypts files of various file types (e.g. *.jpeg, *.doc. *.mp4 etc.) on the affected machine using AES-128 encryption, with CTR as block mode. It then displays an image on the desktop containing a ransom demand (payable in Bitcoins) in return for the decryption key needed to restore the affected files.