Tuesday, May 22, 2012

Weelsof - Metropolitan Police - United Kingdom (Ransom Trojan) - 05.22.2012 - Analysis and Removal



HKLM\...\Run: [voitjxghtvngqbu] C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe [64512 2012-05-22] ()
HKU\thisisu\...\Run: [voitjxghtvngqbu] C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe [64512 2012-05-22] ()
HKLM\...\Winlogon: [Shell] explorer_new.exe [64512 2012-05-22] ()
2012-05-23 02:17 - 2008-04-14 11:00 - 0064512 ____A C:\Windows\explorer_new.exe
2012-05-23 02:16 - 2012-05-22 12:34 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\lwxnrakwwvtxgsd
2012-05-23 02:15 - 2012-05-20 21:43 - 0000016 ____A C:\Documents and Settings\All Users\Application Data\seaoeidlvppzkholfzrrrrvkdflprazo
2012-05-23 02:15 - 2012-05-19 04:09 - 0064512 ____A C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe
2012-05-23 02:15 - 2012-05-17 21:50 - 0064512 ____A C:\Windows\jhdmxqskgvmtxilxyiwh.exe

MD5: 1303adf0a0aa3ff3b4a7c818c452853c - VT

Misc Notes:

The folder in %allusersprofile%\appdata (C:\Documents and Settings\All Users\Application Data\lwxnrakwwvtxgsd) has about 10 pictures that compose the ransom screen.

Gimemo Ransom - Germany - "Please wait while the connection is beeing established" - Known File Names

This list will be maintained.
I will try to organize them in chronological order
flint4ytw.exe - 21e582cc765de5bb58191200e9f54e77 - VT
ram_reserver64.exe - f8eeecb3c9ea0ace4e485fd1611fa1ab - VT
soundblaster_fx648.exe - cffc2bfa4f74e2a0bb04427f1048b29f - VT
itunes_service01.exe - fd3f7aaef6b290ac4c1d6ebcb36209c9 - VT
itunes_service86.exe - 7944a9eaac350ae8c8a0d2ddfcc07201 - VT
BSI.bund.exe - d1f3c1efbc75d4cdc53241d85cbb8caf - VT
ksprskylabs1.exe - 520016557adaa13daed88d0e45f400f6 - VT
InfoServices_a.exe - 489284c7665739d79697aabda99f41a7 - VT
Game.exe - 489284c7665739d79697aabda99f41a7 - Seen with InfoServices_a.exe - VT
ServiceVBOX.exe - 09591584d659223c5e8733342d713c83 - VT
game_client.exe - VT
SboxService.exe - 5dd62ab5baa65ed9785d01b377622b75 - VT 
ArchiverforWin.exe [] - VT
Diablo_III.exe - d5f4f463d92d78ffbe8326da81b59b50 - VT
WhpAkc.exe - VT
ArchiverforWin.exe [thehrgergergeg] - VT
Apple_Store.exe [tfytfyffytf] - 2ae166c2abc5e380c35dea3ab7a8d7f1 - VT
Apple_Store.exe [Adobe Systems, Incorporated] - f28f9cb1ff043c109797454bde26e269 - VT
AMD_cpx.exe - VT
WinrarArchiver - 0fce6d3421f3f21e7d6214059fe5bad0 - VT
WinrarArchiver - 24a067e94f182a522bcd38c06b4b38d4 - VT
RarArchiverWin.exe [Nonprofit organization offering health, educational, and distance learning Internet broadcasting services] - VT
Apple_Store.exe - [Nonprofit organization offering health, educational, and distance learning Internet broadcasting services] - VT
TarArchiver.exe [SEIKO EPSON CORP.] - 61eceef56f8e8faf8b0a70d3326331e1 - VT
CodeArchiver.exe - 6562d74b5a93f8c8cb537be10d873f46 - VT
TarArchiver.exe - [CJSC "Computing Forces"] - VT
Dickemoepse.exe - a31e35aa09218d4254e4a0fbbd6364b - VT
Smoerrebroe.exe - VT
Warcraft.exe - 07dbb4542299a2a1b7480932f8a25d5b - VT
Schnarch.exe - c4f7a18db6aa1ef57c3f53a050d77ce9 - VT 


For help with removal, see the following pages:
If you need additional assistance, visit MajorGeeks.com and create a topic in the Malware Removal forum.

Monday, May 14, 2012

Police Nationale Francaise - France (Ransom Trojan) - 05.14.2012 - Analysis and Removal


Easy way to defeat:

If on XP:
Press F8 upon boot to get to the Windows Advanced Options Menu
From the list, choose "Directory Services Restore Mode"

You should now be in a Windows Safe Mode with Networking capabilities. __________________________________________________________________________________

Download and install Malwarebytes from here.
Run a Quick Scan.
Ransom message should no longer appear.

Additional information:
This ransom does not extract additional files. It simply runs from itself hijacking this key:
Creates a bad value here like "vasja" which paths to the one bad ransom file.

Friday, May 04, 2012

Rannoh - Canada (Ransom Trojan) - 05.04.2012 - Analysis and Removal

Figure 1.a

This is very similar to Gendarmerie Nationale (French) in the sense that the bad files are practically located in the same directories.

For this one, look in these directories:
  • %userprofile%\local settings\temp\<random 10 letter folder> - For example: Mlqjqjqjq
  • %windir%\system32
The two bad .exe files in these folders are 20 alphanumeric characters long. For example: AE6B1A712C387EF4E4A7.exe

Note: The .exe in each folder listed is exactly the same in terms of MD5 hash, but the actual Name of the randomized .exe is different (both are randomized).

First step is remove the Windows lockout portion of this infection.
Boot off a diagnostic CD/DVD such as Hiren, or slave the hard drive to another PC with a bootable Windows OS.

Having seen this type of infection before, I just went into the suspected folders above and deleted the two bad .exe files from there. Once this is done, you should be able to boot to the Windows desktop again. If you'd like to use some type of scanning tool and know how to analyze the log, I'd recommend Farbar Recovery Scan Tool (FRST).

Back in Windows

Great, we are back to the Windows desktop! Wait... why are all my files encrypted?!

Similar to ACCDFISA, this type of ransom trojan has two main features.
1) Lock you out of Windows (See Figure 1.a above)
2) Encrypts the majority of your files

Do not fret, the expert personnel at Kaspersky have created a tool called RannohDecryptor designed to decrypt and restore your files with ease!

Kaspersky RannohDecryptor in action

Download it here or mirror

After decryption