Home / malwarePDF  

Trojan:Win32/Ransom.EJ


First posted on 28 February 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Ransom.EJ.

Explanation :

Trojan:Win32/Ransom.EJ is a member of the Trojan:Win32/Ransom family - a family of trojans that seizes control of the computer in which it is installed. This trojan prevents user access to websites by covering the web browser with a certain image. The image covering the webpage contains instructions for the user to send an SMS to a premium number in order to remove the image and unlock the web browser.


Top

Trojan:Win32/Ransom.EJ is a member of the Trojan:Win32/Ransom family - a family of trojans that seizes control of the computer in which it is installed. This trojan prevents user access to websites by covering the web browser with a certain image. The image covering the webpage contains instructions for the user to send an SMS to a premium number in order to remove the image and unlock the web browser.



Installation

Upon execution, Trojan:Win32/Ransom.EJ may drop a copy of itself as the following:

  • %AppData%\mozilla\firefox\firefox.exe
  • %AppData%\google\chrome\chrome.exe
  • %AppData%\microsoft\dllhsts.exe
  • %AppData%\identities\<random CLSID>\svghost.exe


It also creates the following registry entries so that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "Firefox helper"
With data: %AppData%\mozilla\firefox\firefox.exe

Sets value: "Chrome"
With data: %AppData%\google\chrome\chrome.exe

Sets value: <random CLSID>
With data: %AppData%\identities\<random CLSID>\svghost.exe

Sets value: <random CLSID>
With data: %AppData%\microsoft\dllhsts.exe

As part of its clean-up routine, it creates the following files to remove/delete its copy after it has run:

  • %Temp%\unlnk.bat
  • %Temp%\r.bat
  • %Temp%\clean.bat


Payload

Contacts remote hosts

Trojan:Win32/Ransom.EJ contacts the following remote hosts, that are not affiliated with Microsoft:

  • security0301-microsoft<dot>com/index.php
  • security-3761-microsoft<dot>com/index.php
  • security-9976-microsoft<dot>com/index.php
  • security-3405-microsoft<dot>com/index.php
  • security-2374-microsoft<dot>com/index.php
  • security-4809-microsoft<dot>com/index.php
  • feyana.jino.ru


The trojan receives information from the above websites about what ransom message to display to affected users.

Additional information

Trojan:Win32/Ransom.EJ creates the following mutexes to ensure that only one copy of the malware is running on the infected computer at any one time:

  • CHROME-HLP-< eight random alphanumeric characters >
  • SAF_{< random CLSID >}
  • msInternetExplorer-< six random alphanumeric characters >




Analysis by Zarestel Ferrer

Last update 28 February 2012

 

TOP

Malware :

Family: