Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.Encoder.11432

Added to the Dr.Web virus database: 2017-05-12

Virus description added:

SHA1:

  • Network worm e889544aff85ffaf8b0d0da705105dee7c97fe26
  • Encoder dropper: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
  • Encoder: 7d36a6aa8cb6b504ee9213c200c831eb8d4ef26b
  • Author’s decoder: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10

A multi-component network worm known as WannaCry. It is written in C/C++, assembled in MS Visual Studio, not packed. Contains two dynamic libraries in its own body. Once launched, it tries to send GET request to a remote server http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com without caching the results. If the worm receives a response from the server, it shuts down.

It is launched as the mssecsvc2.0 Windows system service (visible name—”Microsoft Security Center (2.0) Service”); The worm can receive arguments of the command line. If at least one argument is indicated, the worm tries to open the mssecsvc2.0 service and configure it for the restart in case of an error. After launch, it tries to rename file C:\WINDOWS\tasksche.exe to C:\WINDOWS\qeriuwjhrf, saves from the resources of the Trojan encoder to file C:\WINDOWS\tasksche.exe and runs it with a parameter /i. Within 24 hours after its launch as a system service, the worm automatically shuts itself down.

To spread itself, the worm initializes Windows Sockets, CryptoAPI and launches several threads. One of them lists all network interfaces on the infected PC and checks available servers in the local network; the rest of them generate random IP addresses. The worm tries to connect to these remote servers using port 445. If this port is available, a separate thread is used for the infection of network servers using a vulnerability in the SMB protocol.

Dropper

A significant part of the dropper is a password protected ZIP archive, which stores the following files:

  • b.wnry—file with a wallpaper for the Windows Desktop;
  • c.wnry—file with the list of onion servers and an address of the BTC wallet;
  • t.wnry—encrypted file with the Trojan encoder. Decoding key is stored in the file itself;
  • s.wnry—an archive with a software for operation with the Tor network.

After being launched, it tries to install itself to the following folders:

  • %SYSDRIVE%\ProgramData (if this folder exists)
  • %SYSDRIVE%\Intel
  • %SYSDRIVE%
  • %TEMP%

During the installation, the worm creates the corresponding folder, puts inside an enclosed folder with a random name, then creates there its own copy named tasksche.exe.

Attempts to launch its copy as a randomly named system service. If the attempt is unsuccessful, it creates a system service, registers a launch of its own copy inside it using a command interpreter (“cmd.exe /c path”) and runs this service. In case of failure, it runs as an ordinary application.

When the dropper is launched as an application, it tries to write path and name of its current directory to the following system registry branches: HKLM\Software\WanaCrypt0r or HKCU\Software\WanaCrypt0r. Unpacks the archive contents to its current folder, saves to the file c.wncry one of three possible addresses of the BTC wallets. Opens access to the work directory for all system users and installs the hidden argument for it. Then it retrieves the Trojan encoder from the t.wnry file, decrypts it and executes it.

A ransomware Trojan

The encoder is stored in a separate dynamic library. It encrypts files using the AES-128 algorithm. Using the CryptGenKey function, the encoder creates the RSA pair, a public part is saved in a file 00000000.pky, a private part is encrypted with the author’s public key and saved in a file 00000000.eky. The key is generated for each encrypted file using the CryptGenRandom function.

The encrypted file stores:

  • Marker (8 bytes): WANACRY!;
  • Length of the encrypted key (4 bytes);
  • Encrypted key (256 bytes);
  • Information on the encryption type (4 bytes);
  • Initial file size (8 bytes);
  • Encrypted data.

During the course of encryption, a list of files, which could be decrypted in test mode, is created. It is saved to f.wnry. The session AES key for decryption of test files is encrypted with the second RSA key, the private part of which is stored in the Trojan’s body.

The encoder contains the author’s decoder, which performs the following functions:

  • Installation of Desktop wallpaper from the file b.wnry;
  • Removal of shadow copies;
  • Deactivation of the system restoration function;
  • Unpacking of software for operation with Tor from the s.wnry file or loading if from the website, address of which is stored in a file in c.wnry.

The decoder accepts the following command line parameters (without arguments):

  • fi—retrieves software for the operation with Tor, establishes connection with port 80 of onion servers, indicated in the configuration. Receives from them an address of the BTC wallet and saves it in configuration;
  • co—reads from a RES file data on the start of the encryption and, supposedly, sends them to the onion server;
  • vs—deletes shadow copies and disables system restoration.

To exchange data with the onion servers, Trojan.Encoder.11432 uses its own protocol. Unfortunately, at present it is impossible to decrypt files encoded by the Trojan.

Network activity

To share data with remote servers, the Trojan uses its own protocol. It is possible to point out three types of network activity:

  • Sending of messages to the Trojan’s authors;
  • BTC wallet name request;
  • Check of the ransom payment.

Before session, the Trojan checks whether there is an established connection and chooses one of the addresses of an onion server saved in the configuration. To check the operating capability of the server, the Trojan connects to it through the 80th port via the TOR network and installs a session key; after that useful information is sent.

Transmitted data packages are encrypted.

When the Trojan attempts sending a text to the Trojan's authors, and it is shorter than 10 symbols, the malicious program returns an error “Too short message!”. Messages longer than 1000 symbols are shortened to 1000 symbols. The decoder doesn’t allow sending messages too often (these restrictions are implemented in the decoder itself).

When clicking the button of the payment check, the decoder attempts reading a file that contains a public key and a file with the private key. If the reading was successful, it checks their compliance via encryption and decryption of a test buffer. If there is no file with the private key or if the file doesn’t correspond to the file with the public key, the Trojan refers to its servers.

It sends data to the server and then waits for the decrypted EKY file (private part of the RSA key).

News about the Trojan

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.
Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web sur le site

Par le numéro de série

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Editeur russe des solutions antivirus Dr.Web
Expérience dans le développement depuis 1992
Les internautes dans plus de 200 pays utilisent Dr.Web
L'antivirus est fourni en tant que service depuis 2007
Support 24/24

Dr.Web © Doctor Web
2003 — 2021

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg