Trojan-Ransom.Win32.DigiPog.xp

Technical Details

This Trojan disables a machine in order to obtain a ransom for restoring the system to its original condition. It is a Windows application (PE EXE file). It is 151 040 bytes in size. It is written in C++.

Installation

Once launched, the Trojan performs the following actions:

• It attempts to unload the following processes from the system memory:

  Tmas.exe
  ekrn.exe
  gcasServ.exe
  msscli.exe
  avp.exe
  dwengine.exe
  avastsvc.exe
  avguard.exe
  winroute.exe
  zlclient.exe
  op_mon.exe
  

• It stops the "SharedAccess" service.
• It attempts to call the "__register_frame_info" and "_Jv_RegisterClasses" functions from the following libraries, respectively:

  %WorkDir%\libgcc_s_dw2-1.dll
  %WorkDir%\libgcj_s.dll
  

• It creates the following file to flag its presence in the system:

  %USERPROFILE%\Application Data\efhhcwck.ddr (1598 bytes)
  

  It also creates the following system registry key:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
  "0X29A"
  

• It copies itself to the following file:

  %USERPROFILE%\Application Data\efhhcwck.exe

• To ensure that the copy created is launched automatically each time the system is rebooted, the following system registry keys are created:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
  
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
  

  It also creates the shortcut:

  %USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
  

  This shortcut points to the created copy.
• It launches the copy created for execution. This copy is launched twice: initially it is launched without any parameters, and the second time it is launched with the "DNNL" parameter. There always will be two copies of the "efhhcwck.exe" process launched in the system. If one of the processes ceases running, it will be relaunched by the second process.
• During installation the Trojan displays the following windows:

  

  

  

• In addition, the Trojan sends to the malicious user's server:

  188.***.168

  the following HTTP requests:

  HTTP/1.0
  GET
  /_req/?type=e&sid=2&sw=00000000000000000&ostype=2&ossp=2&osbits=0&osfwtype=2&osrights=255
  /_req/?type=m&sid=2&sw=00000000000000000
  

  
  

  Payload

  Once launched, the Trojan performs the following actions:

  1. It deletes its original file by reading the path from the following file:

     %USERPROFILE%\Application Data\efhhcwck.ddr

  2. To ensure that its process is unique within the system, it creates a unique identifier:

     Global\dobeDNNLjpgo

  3. It creates the following system registry keys:

     [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
     "DisableTaskMgr" = "1"
     
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoLogoff" = "1"
     

     Thereby it stops the Task Manager from launching, and hides the "Shut down" sub-menu in the Start menu.
  4. It blocks Internet Explorer's access to the Internet by changing its proxy server settings:

     [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
     "MigrateProxy" = "1"
     "ProxyEnable" = "1"
     "ProxyServer" = "http=127.0.0.1:41653;"
     

     At the same time, it deletes the following keys:

     [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
     "ProxyOverride"
     "AutoConfigURL"
     

     These keys are created and deleted in an endless cycle.
  5. When the user runs other browsers, the Trojan blocks the following sites:

     www.drweb.com/unlocker
     www.esetnod32.ru/.support/winlock
     http://virusinfo.info/deblocker
     http://support.kaspersky.ru/viruses/deblocker
     

  6. It terminates the following processes in an endless cycle:

     far.exe
     msconfig.exe
     taskmgr.exe
     taskkill.exe
     avz.exe
     regedit.exe
     procmon.exe
     

  7. It displays the following window over the top of all open windows in the lower right corner of the screen:

     

  8. It sends to the malicious user's server

     188.***.168

     the following request:

     HTTP/1.0
     GET
     _req/?type=s&sid=2&sw=00000000000000001&ostype=2&ossp=2&osbits=0&osfwtype=2&osrights=255
     

  
  

  Removal instructions

  If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
  2. Delete the following files:

     %USERPROFILE%\Application Data\efhhcwck.ddr 
     %USERPROFILE%\Application Data\efhhcwck.exe
     %USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
     

  3. Delete the following system registry keys (see What is a system registry and how do I use it?):

     [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
     "0X29A"
     
     [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
     "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
     
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
     "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
     
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
     "DisableTaskMgr" = "1"
     
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoLogoff" = "1"
     

  4. Restore the original system registry key value (What is a system registry and how do I use it?):

     [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
     "MigrateProxy"
     "ProxyEnable"
     "ProxyServer"
     "ProxyOverride"
     "AutoConfigURL"
     

  5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
  
  

  MD5: 5433BBDADE3E6801BAC602D2FD636E74
  SHA1: 95D34CCFBC0E8B0DDDC12B120634ED686F6A8721

  
  

Summary

• Performs potentially dangerous activity

Technical details

File size of 151040 bytes.

Installation

Makes copies of itself with the following names once launched:

• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\buoucwrh.exe

Creates the following files on an infected computer:

• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\buoucwrh.ddr

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "PC Health Status" = " Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\buoucwrh.exe"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "PC Health Status" = " Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\buoucwrh.exe"

Malicious activity

Creates unique identifiers to flag its presence in the system

• Global\precgptpcwrh
• Global\dobeQUQOmsug

Other activities

Runs the following files (commands):

• \" Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\buoucwrh.exe\" QUQO

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform ] "0X29A" = ""

Deletes the following files on an infected computer:

• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\12560921794
• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\buoucwrh.exe12560926327
• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Start Menu\Programs\Startup\healm_gptp.lnk