Ransom-C

**Anilrgowda** · 22-Jan-2007, 04:51 AM

Ransom-C

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 1/12/2007 Date Added: 1/12/2007 Origin: N/A Length: Varies Type: Trojan SubType: Win32 DAT Required: 4938 Virus Characteristics

Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data.
This trojan can often arrive in a spoofed e-mail notifying the user of a "important events" or "great deals" such as the following:

This e-mail spoofs as the mail administrator notifying the user of a "system upgrade", requesting the user to open the attachmen to prevent the account from being terminated.
More recently, websites were discovered to be hosting Exploit-MS06-014 that installs Ransom-C without a need for user interaction on vulnerable web browsers. They include legitimate financial news, medical websites, etc. that were believed to have been penetrated by the trojan author. When the exploit is successful, it follows to download and install a abc.exe.pif executable containing Ransom-C.
In some cases, a.RAR file which resembles the file attachments used in the spoofed e-mails are placed on a spoofed hyperlink on the penetrated website. For example, the hyperlink could be displaying a description of "Directions to the XYZ Hospital" but lets the user download a .RAR containing the Ransom-C trojan:

Upon execution, Ransom-C makes a copy of itself in the Start-Programs->Startup menu as svchost.exe as well as X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe.
(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)
It then displays the following pop-up window:

This pop-up window claims that unlicensed software was detected and have been moved to a restricted folder. To unlock these files, the user must send an e-mail to webmas[hidden]@yahoo.com.cn to purchase the "licensed" software.
NOTE: Our analysis shows that the files are not moved but effectively deleted from the infected computer including mounted drives on external media (e.g. memory cards, hard drives). This implies a reliable method to fully recover the files would be unlikely.
Ransom-C drops a text file on the desktop reiterating its claims and reboots the system each time the pop-up window is closed.

Indications of Infection

Presence and/or modification of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Run\"svchost.exe" = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\ open\command\ = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe" (hooks to the opening of text files)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Explorer\Advanced\Folder\Hidden

Presence of the following file(s):

X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe (Ransom-C)
"X:\Documents and Settings\%User%\Start Menu\Startup\svchost.exe (Ransom-C)

(Where X: is the system drive letter e.g. C:, and %User% is the current user ID)
Display of the pop up windows depicted in "Characteristics".

Method of Infection

Ransom-C has been known to be propagated via spoofed e-mails with attachments, browsing upon hacked websites hosting spoofed hyperlinks and/or Exploit-MS06-14.

Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations
Instead of encrypting or moving files from the victim's machine, Ransom-C effectively deletes them. A reliable method to fully recover the files is unlikely. Due to the design of the Windows file system. Disk segments marked deleted can be overwritten by new data.
Data deleted by Ransom-C should be restored from backup.

22-Jan-2007, 04:51 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Ransom-C Ransom-C Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 1/12/2007 Date Added: 1/12/2007 Origin: N/A Length: Varies Type: Trojan SubType: Win32 DAT Required: 4938 Virus Characteristics Ransom-C is a trojan that delete files from the infected machine, and display a message in Chinese requesting for a fee from the user to recover the deleted data. This trojan can often arrive in a spoofed e-mail notifying the user of a "important events" or "great deals" such as the following: This e-mail spoofs as the mail administrator notifying the user of a "system upgrade", requesting the user to open the attachmen to prevent the account from being terminated. More recently, websites were discovered to be hosting Exploit-MS06-014 that installs Ransom-C without a need for user interaction on vulnerable web browsers. They include legitimate financial news, medical websites, etc. that were believed to have been penetrated by the trojan author. When the exploit is successful, it follows to download and install a abc.exe.pif executable containing Ransom-C. In some cases, a.RAR file which resembles the file attachments used in the spoofed e-mails are placed on a spoofed hyperlink on the penetrated website. For example, the hyperlink could be displaying a description of "Directions to the XYZ Hospital" but lets the user download a .RAR containing the Ransom-C trojan: Upon execution, Ransom-C makes a copy of itself in the Start-Programs->Startup menu as svchost.exe as well as X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe. (Where X: is the system drive letter e.g. C:, and %User% is the current user ID) It then displays the following pop-up window: This pop-up window claims that unlicensed software was detected and have been moved to a restricted folder. To unlock these files, the user must send an e-mail to webmas[hidden]@yahoo.com.cn to purchase the "licensed" software. NOTE: Our analysis shows that the files are not moved but effectively deleted from the infected computer including mounted drives on external media (e.g. memory cards, hard drives). This implies a reliable method to fully recover the files would be unlikely. Ransom-C drops a text file on the desktop reiterating its claims and reboots the system each time the pop-up window is closed. Indications of Infection Presence and/or modification of the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Run\"svchost.exe" = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\ open\command\ = "X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe" (hooks to the opening of text files) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Explorer\Advanced\Folder\Hidden Presence of the following file(s): X:\Documents and Settings\%User%\Application Data\Microsoft\win1ogon.exe (Ransom-C) "X:\Documents and Settings\%User%\Start Menu\Startup\svchost.exe (Ransom-C) (Where X: is the system drive letter e.g. C:, and %User% is the current user ID) Display of the pop up windows depicted in "Characteristics". Method of Infection Ransom-C has been known to be propagated via spoofed e-mails with attachments, browsing upon hacked websites hosting spoofed hyperlinks and/or Exploit-MS06-14. Removal Instructions AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations Instead of encrypting or moving files from the victim's machine, Ransom-C effectively deletes them. A reliable method to fully recover the files is unlikely. Due to the design of the Windows file system. Disk segments marked deleted can be overwritten by new data. Data deleted by Ransom-C should be restored from backup.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)