SecurityHome.eu Win32/Fortrypt

Home / malware PDF

Win32/Fortrypt

First posted on 20 April 2015.
Source: Microsoft
Aliases :
There are no other names known for Win32/Fortrypt.
Explanation :
Threat behavior

Installation

Win32/Fortrypt can be downloaded by other malware and may be dropped with the following file name:

bin.exe

The threat drops and runs a randomly named batch file in the current folder (detected as Trojan:BAT/Fortrypt.A) which might delete all shadow copies or automatic backups on your PC.

Payload

Encrypts your files

This threat encrypts files on your PC that have the following extensions:

.0??

.1cd

.3fr

.3gp

.7z

.?ar

.abk

.accdb

.adf

.ai

.arc

.arj

.arw

.ashbak

.ashdisk

.avi

.ba?

.backup

.bk?

.bmp

.bup

.cdr

.cdx

.cer

.cf

.cfu

.cr?

.cs?

.da?

.dbf

.dcr

.der

.dic

.divx

.djvu

.dng

.doc

.doc?

.dt

.dwg

.dx?

.e?f

.efd

.eps

.er?

.fbw

.fh

.flv

.frp

.gh?

.gif

.gzip

.hbi

.hdb

.htm

.html

.ifo

.img

.indd

.iso

.iv2i

.jpeg

.jpg

.kdc

.key

.kwm

.ld?

.m2v

.max

.md

.md?

.mef

.mkv

.mov

.mp4

.mpeg

.mpg

.mrw

.nba

.ndf

.nef

.nr?

.od?

.ol?

.one

.orf

.p12

.p7?

.pb?

.pd?

.pef

.pem

.pfx

.png

.pps

.pps?

.ppt

.ppt?

.psd

.pst

.ptx

.pwm

.qbw

.r??

.sco

.sef

.sk

.sr2

.srf

.srw

.tbk

.tc

.tib

.tif

.tmd

.txt

.v?

.v??

.v???

.wb2

.wbb

.wim

.wmv

.wpd

.wps

.x3f

.xl?

.xls?

.xml

.z?

.z??

.z???

It adds .frtrss to the extension of the encrypted files, for example sample.avi is changed to sample.avi.frtrss.

After it encrypts your files, the threat drops a ransom note in each folder where it encrypted files. It also drops the ransom note into your Desktop folder.

The ransom note uses the name READ IF YOU WANT YOUR FILES BACK.html and looks like the following:

Analysis by Jireh Sanico

Symptoms

The following can indicate that you have this threat on your PC:

You can't open your files

You see a message like the following:

Last update 20 April 2015

TOP

Malware :

Last 20