English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Ransom.Win32.DigiPog.xp

Detected Aug 26 2010 03:14 GMT
Released Aug 26 2010 13:12 GMT
Published Oct 26 2010 13:24 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan disables a machine in order to obtain a ransom for restoring the system to its original condition. It is a Windows application (PE EXE file). It is 151 040 bytes in size. It is written in C++.

Installation

Once launched, the Trojan performs the following actions:

  • It attempts to unload the following processes from the system memory:
    Tmas.exe
    ekrn.exe
    gcasServ.exe
    msscli.exe
    avp.exe
    dwengine.exe
    avastsvc.exe
    avguard.exe
    winroute.exe
    zlclient.exe
    op_mon.exe
    
  • It stops the "SharedAccess" service.
  • It attempts to call the "__register_frame_info" and "_Jv_RegisterClasses" functions from the following libraries, respectively:
    %WorkDir%\libgcc_s_dw2-1.dll
    %WorkDir%\libgcj_s.dll
    
  • It creates the following file to flag its presence in the system:
    %USERPROFILE%\Application Data\efhhcwck.ddr (1598 bytes)
    
    It also creates the following system registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
    "0X29A"
    
  • It copies itself to the following file:
    %USERPROFILE%\Application Data\efhhcwck.exe
  • To ensure that the copy created is launched automatically each time the system is rebooted, the following system registry keys are created:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
    
    It also creates the shortcut:
    %USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
    
    This shortcut points to the created copy.
  • It launches the copy created for execution. This copy is launched twice: initially it is launched without any parameters, and the second time it is launched with the "DNNL" parameter. There always will be two copies of the "efhhcwck.exe" process launched in the system. If one of the processes ceases running, it will be relaunched by the second process.
  • During installation the Trojan displays the following windows:

  • In addition, the Trojan sends to the malicious user's server:
    188.***.168
    the following HTTP requests:
    HTTP/1.0
    GET
    /_req/?type=e&sid=2&sw=00000000000000000&ostype=2&ossp=2&osbits=0&osfwtype=2&osrights=255
    /_req/?type=m&sid=2&sw=00000000000000000
    


    Payload

    Once launched, the Trojan performs the following actions:

    1. It deletes its original file by reading the path from the following file:
      %USERPROFILE%\Application Data\efhhcwck.ddr
    2. To ensure that its process is unique within the system, it creates a unique identifier:
      Global\dobeDNNLjpgo
    3. It creates the following system registry keys:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableTaskMgr" = "1"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      "NoLogoff" = "1"
      
      Thereby it stops the Task Manager from launching, and hides the "Shut down" sub-menu in the Start menu.
    4. It blocks Internet Explorer's access to the Internet by changing its proxy server settings:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "MigrateProxy" = "1"
      "ProxyEnable" = "1"
      "ProxyServer" = "http=127.0.0.1:41653;"
      
      At the same time, it deletes the following keys:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "ProxyOverride"
      "AutoConfigURL"
      
      These keys are created and deleted in an endless cycle.
    5. When the user runs other browsers, the Trojan blocks the following sites:
      www.drweb.com/unlocker
      www.esetnod32.ru/.support/winlock
      http://virusinfo.info/deblocker
      http://support.kaspersky.ru/viruses/deblocker
      
    6. It terminates the following processes in an endless cycle:
      far.exe
      msconfig.exe
      taskmgr.exe
      taskkill.exe
      avz.exe
      regedit.exe
      procmon.exe
      
    7. It displays the following window over the top of all open windows in the lower right corner of the screen:

    8. It sends to the malicious user's server
      188.***.168
      the following request:
      HTTP/1.0
      GET
      _req/?type=s&sid=2&sw=00000000000000001&ostype=2&ossp=2&osbits=0&osfwtype=2&osrights=255
      


    Removal instructions

    If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

    1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
    2. Delete the following files:
      %USERPROFILE%\Application Data\efhhcwck.ddr 
      %USERPROFILE%\Application Data\efhhcwck.exe
      %USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
      
    3. Delete the following system registry keys (see What is a system registry and how do I use it?):
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
      "0X29A"
      
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
      "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableTaskMgr" = "1"
      
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      "NoLogoff" = "1"
      
    4. Restore the original system registry key value (What is a system registry and how do I use it?):
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "MigrateProxy"
      "ProxyEnable"
      "ProxyServer"
      "ProxyOverride"
      "AutoConfigURL"
      
    5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


    MD5: 5433BBDADE3E6801BAC602D2FD636E74
    SHA1: 95D34CCFBC0E8B0DDDC12B120634ED686F6A8721


Bookmark and Share
Share
Trojan-Ransom

This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.

The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.