Troj/Ransom-U

Category: Viruses and Spyware Protection available since:26 Nov 2010 00:25:17 (GMT)
Type: Trojan Last Updated:26 Nov 2010 00:25:17 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Ransom-U include:

Example 1

File Information

Size
26K
SHA-1
bc5b55f5e4a2e8f32b82b7b21bc8c46aecd15384
MD5
042141f29ca40d1c9954d49a201a60a8
CRC-32
46a987e2
File type
application/x-ms-dos-executable
First seen
2010-11-26

Runtime Analysis

Copies Itself To
  • C:\test_item.exe
Dropped Files
  • C:\bin\configuresav\Sophos Anti-Virus.lnk.ENCODED
  • C:\bin\cmd.exe.lnk.ENCODED
  • c:\Documents and Settings\test user\Start Menu\Programs\Accessories\Synchronize.lnk.ENCODED
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.ENCODED
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk.ENCODED
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.ENCODED
  • C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.ENCODED
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APISPYDRV\0000
    Driver
    {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
    c:\bin\psxsum.exe
    psxsum
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APISPYDRV\0000\Control
    ActiveService
    ApiSpyDrv
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    (Default)
    0x0000000a
  • HKCU\Control Panel\Desktop
    Wallpaper
    C:\DOCUME~1\support\LOCALS~1\Temp\dldldkckckbjbjbj.bmp
  • HKLM\SYSTEM\CurrentControlSet\Services\ApiSpyDrv
    ImagePath
    \??\c:\bin\ApiSpy.sys
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D414BCA974396B044A35E5BFD25BD9AF\Usage
    SAVService
    0x3d7aa609
  • HKLM\SOFTWARE\Microsoft\Cryptography\RNG
    Seed
    97 dd 50 4f 8e f4 12 50 f6 53 a9 2c b9 a2 a7 4f e0 c5 b1 2b 20 ae 7d 6f 73 d5 43 60 47 3c 1c 14 80 23 b8 f1 6f c4 40 51 65 cf 68 ea 05 83 71 26 cb 2f 36 8c 96 f8 5d 1d 04 d2 a4 82 c5 03 a5 81 f9 c6 4c ad ed d5 4f f9 de 6d b7 3e 25 53 56 56
  • HKCU\SessionInformation
    ProgramCount
    0x00000008
Processes Created
  • c:\windows\system32\notepad.exe

Further information

There is more information about Troj/Ransom-U on the blog article Drive-by ransomware attack demands $120.

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information