Home / malware Trojan.Synolocker
First posted on 08 August 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Synolocker.
Explanation :
Trojan.Synolocker runs on Synology network-attached storage (NAS) devices.
When the Trojan is executed, it creates the following files:
/tmp/.SYNO_SERVER_LOCK/tmp/.SYNO_ENCRYPT_LOCK/tmp/.SYNO_DECRYPT_LOCK/etc/synolock//etc/synolock/.decrypt/etc/synolock/.restore/etc/synolock/watch.sh/etc/synolock/synosync/etc/synolock/uninstall.sh/etc/synolock/RSA_PUBLIC_KEY/etc/synolock/RSA_PRIVATE_KEY/usr/syno/synoman/redirect.html/usr/syno/synoman/lock.png/usr/syno/synoman/style.css/usr/syno/synoman/synolockcode.txt/usr/syno/synoman/crypted.log/usr/syno/synoman/decrypted.log/usr/syno/etc.defaults/rc.d/S99boot.sh/usr/syno/etc.defaults/rc.d/S99check.sh
It then modifies the following file:
/usr/syno/synoman/index.html
Next, the Trojan searches for and encrypts files with the following extensions on the compromised NAS device:
.3fr.7z.accdb.ai.arw.av.bay.bkf.cdr.cer.cr.dbf.dcr.ddrw.der.djvu.dng.do.dwg.dx.eml.eps.erf.gif.gpg.ico.ind.jp.kd.mbx.md.mef.mp.mrw.nef.nrw.od.orf.p12.p7b.p7c.pas.pd.pe.pfx.php.pmg.potx.pp.ps.ptx.r3d.ra.rtf.rw.sda.sfx.sld.sql.sr.text.wb2.wp.xl.zipwallet.
The Trojan then starts an HTTP server on port 80, which replaces the existing HTTP server used for device administration.
If the user attempts to open the administration Web page, the following message is displayed:
Automated Decryption Service. Copy and paste a valid RSA private key in the following form below.
If the correct RSA private key is entered the Trojan decrypts the files and removes itself from the compromised device.Last update 08 August 2014
