Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.Encoder.3953

Added to the Dr.Web virus database: 2016-02-17

Virus description added:

SHA1

  • fd131f8d61b57954a5906483baf43c92d76a80e7
  • a07a1660ebd71bff4b640665208d2ade51791e69
  • d0a05ad76a8eec9a4fce36e9cf5d446d7ddaae3f
  • 583bbf424a7114586dd48fe57be999cbd750ba56

A ransomware Trojan for Windows. At least 4 of its modifications employ different encryption procedures, and 4 of its versions implement different schemes of file naming. Presumably, the Trojan is created by the authors of Trojan.Encoder.741 and Trojan.Encoder.2667.

Once encrypted, files are appended with a suffix containing an email address and an extension. The Trojan is known to append files with the following extensions:

  • *.xtbl
  • *.CrySiS

Cybercriminals leave the following email addresses:

  • dalailama2015@protonmail.ch
  • Vegclass@aol.com
  • a_princ@aol.com
  • TREE_OF_LIFE@INDIA.COM
  • redshitline@india.com
  • milarepa.lotos@aol.com
  • Eco_vector@aol.com
  • sub_zero12@aol.com
  • gerkaman@aol.com
  • freetibet@india.com
  • cyber_baba2@aol.com
  • siddhiup2@india.com
  • gruzinrussian@aol.com
  • Ecovector3@aol.com
  • ramachandra7@india.com

The following 4 schemes are used to name encrypted files:

  • *.{email}.ext
  • *.ID*.email.xtbl
  • *.ID*.{email}.xtbl
  • *.id-*.{email}.ext

Version 1

SHA1

  • fd131f8d61b57954a5906483baf43c92d76a80e7

Once launched, the Trojan copies itself to the %windir%\system32 directory, saving its original name. If the attempt is unsuccessful, the Trojan locates its copy in the %localappdata% folder. Then, to ensure its autorun, the malware modifies the HKLM\Software\Microsoft\Windows\CurrentVersion\Run system registry branch (if the attempt fails, the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry branch is modified) and registers its copy with the name of the System Service parameter. To control its relaunching, the Trojan uses a mutex with the following name: Global\snc_%virname%.

Internal state of the random number generator is stored in a 32-byte buffer. This buffer is used to obtain MD5. The result is a RC4 key that encrypts the buffer. The obtained 0x20 bytes represent an encryption key.

Encryption is performed in a separate thread, using the AES-CBC-256 algorithms. Names of encrypted files are appended with *.{email}.ext. A 6-byte marker, 16-byte initialization vector, and 1 byte, which indicates the length of alignment, are added to the end of the file. An encrypted key for file decryption is stored in the following 0x80 bytes. All files are encrypted with the same key. Every file has a unique initialization vector.

Files corrupted by this Trojan can be decrypted.

Version 2

SHA1

  • a07a1660ebd71bff4b640665208d2ade51791e69

The Trojan is packed. The unpacked sample has SHA1 8d2b415f8da004f5da7ac706d418f25072782abe.

While a key is being generated, the buffer information is modified by means of the XOR function. Intermediate data of previous calls for random value generation is used. A unique key is generated for network resources.

It names encrypted files using the *.ID*.email.xtbl or *.ID*.{email}.xtbl scheme.

Information is encrypted with the AES-CBC-256 algorithms.

The Trojan registers itself under the fixed name while modifying the system registry to enable its autorun.

This version has the following scheme of adding data to the end of the file: first, the file name is saved (in Unicode), then a 6-byte marker goes followed by 20 bytes of unknown purpose and 16 bytes of initialization vector. After that, 4 bytes indicating the length of alignment are saved. Then there are 0x80 bytes that contain an encrypted key for file decryption. The last DWORD parameter writes the length of the original file name in bytes. In total, 178 bytes are added to the end of the file.

Files corrupted by this Trojan can be decrypted.

Version 2.5

SHA1

  • d0a05ad76a8eec9a4fce36e9cf5d446d7ddaae3f

The Trojan is packed. The unpacked sample has SHA1 ad68d95b42ef99dab3a87d49aed403a86cd99673.

The operation of random number generator is modified in this version.

The Trojan registers itself in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry branch under a random name.

It names encrypted files using the *.ID*.{email}.xtbl scheme.

The procedure of adding information to the end of a file is the same as for the above-mentioned version.

Files corrupted by this Trojan can be decrypted in some cases.

Version 3

SHA1

  • 583bbf424a7114586dd48fe57be999cbd750ba56

It names encrypted files using the *.id-*.{email}.ext scheme.

Information is encrypted with the AES-CBC-256 algorithms. The initialization vector is unique for every file.

Keys generated by this version have become more tamper-proof.

A decryption key together with random bytes is encrypted with RSA-1024 and is saved at the end of the file.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android