Home / malware Ransom:Win32/Isda
First posted on 31 March 2015.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Isda.
Explanation :
Threat behavior
Installation
The threat copies itself to theso that it runs each time you start your PC:
\ .exe
It also drops an image file (.bmp) with a random file name containing instructions on how to restore your files. It drops the file in theso it will appear each time you start your PC:
\ .bmp
It also drops a copy of the image file into %APPDATA%\Roaming.
We have seen it use the following names for the image file:
- fud.bmp
- paycrypt.bmp
- strongcrypt.bmp
The image might look like the following:
It changes the desktop wallpaper to the image it dropped by changing the following registry entry:
In subkey: HKCU\Control Panel
Sets value: Desktop Wallpaper
With data: "%APPDATA%\Roaming\.bmp"
Payload
Encrypts your files
This ransomware searches for and encrypts files with the following extension on local and shared or network drives:
- .113
- .1cd
- .3gp
- .73b
- .7z
- .a3d
- .ab
- .abk
- .accdb
- .arj
- .as4
- .asm
- .asvx
- .ate
- .avi
- .bac
- .bak
- .bck
- .bkf
- .cdr
- .cer
- .cf
- .cpt
- .csv
- .db3
- .dbf
- .doc
- .docx
- .dt
- .dwg
- .erf
- .fbf
- .fbk
- .fbw
- .fbx
- .fdb
- .gbk
- .gho
- .gzip
- .iv2i
- .jpeg
- .jpg
- .key
- .keystore
- .ldf
- .m2v
- .m3d
- .max
- .mdb
- .mkv
- .mov
- .mpeg
- .nbd
- .nrw
- .nx1
- .odb
- .odc
- .odp
- .ods
- .odt
- .old
- .orf
- .p12
- .pef
- .ppsx
- .ppt
- .pptm
- .pptx
- .pst
- .ptx
- .pwm
- .pz3
- .qic
- .r3d
- .rar
- .raw
- .rtf
- .rwl
- .rx2
- .sbs
- .sldasm
- .sldprt
- .sn1
- .sna
- .spf
- .sr2
- .srf
- .srw
- .tbl
- .tib
- .tis
- .txt
- .wab
- .wps
- .x3f
- .xls
- .xlsb
- .xlsk
- .xlsm
- .xlsx
- .zip
It avoids encrypting files in folders that have the following strings:
- program files
- program files (x86)
- programdata
- system volume information
- temp
- windows
The threat changes the extension of the encrypted files in the format .id-<10 random numbers>_.
For example, we have seen the following:
- .id-<10 random numbers>_fud@india.com
- .id-<10 random numbers>_keybtc@foxmail2.com
- .id-<10 random numbers>_paybtc@india.com
- .id-<10 random numbers>_paycrypt@inbox.com
- .id-<10 random numbers>_sos@anointernet.com
- .id-<10 random numbers>_xsmail@india.com
It uses an AES encryption algorithm. The key is stored on the malware server that it connects to when it infects your PC.
Contacts remote host
It connects to a malware server and sends information such as:
- Computer name
- The 10 digit ID it adds to encrypted file extensions
- The appended extension name of the encrypted files
It will POST the above information to its server. We have seen the threat try to contact the following servers:
- http://euiloveyou.com/close/script.php
- http://hungariagogo.com/close/script.php
- http://muhojir.tj/script.php
- http://structretech.com/script.php
- http://valueseu.com/close/script.php
Analysis by Alden Pornasdoro
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- %APPDATA%\
.bmp \ .bmp
- Your files have extra information add the end, that look like the following:
- .id-<10 random numbers>_fud@india.com
- .id-<10 random numbers>_keybtc@foxmail2.com
- .id-<10 random numbers>_paybtc@india.com
- .id-<10 random numbers>_paycrypt@inbox.com
- .id-<10 random numbers>_sos@anointernet.com
- .id-<10 random numbers>_xsmail@india.com
- You see these entries or keys in your registry:
In subkey: HKCU\Control Panel
Sets value: Desktop Wallpaper
With data: "%APPDATA%\Roaming\.bmp"
- You see this message instead of your wallpaper, and whenever you start Windows:
Last update 31 March 2015
