Measures against a new ransom trojan variant claiming 2048-bit PGP-RSA encryption of the hard drive
This type of ransom trojan is dropped by other malware or downloaded from the Internet. It displays a certain message and informs the user that the system is locked. To unlock it again, the user needs to pay money.
The following message will appear if the trojan is executed:
The ransom malware claims that all local files have been encrypted with a 2048 PGP Key.
It is in fact a RC4 encryption, and with available original files (from backup or other source), it is possible to decrypt all files.
The trojan comes by another dropped malware or by visiting malicious websites and downloading from it.
It makes a copy of itself in the following folder:
The following modifications will be done in the registry by the ransom malware:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "D8812EB1"="C:\\Documents and Settings\\%userprofile%\\Application Data\\%random%\\%random%.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000001 "DisableRegedit"=dword:00000001
All the locally present files except in "Windows" and "Program" on the system will be locked with the RC4 method. They will assume the following syntax:
locked-*original file name*.*4 random characters*
Please refer to this link for more information about this ransom malware.
Avira provides a decrypting tool, which is named "Avira Ransom File Unlocker".
Avira Ransom File Unlocker" is a tool written in .NET 2.0 to decrypt files encrypted by a ransom malware type that claims the files have been encrypted with a 2048 PGP key. It is in fact RC4-encrypted, so with available original files (from a backup or any other source), it is possible to decrypt all files.
The tool will not change or delete the encrypted files, to avoid data loss in case the decryption did not work most likely due to a new variant of this kind of malware.
To decrypt the encrypted files, the user has to select an encrypted file from the hard drive and the original version of this file from the hard drive or from another source.
It is imperative that the original version is an exact copy of the encrypted file before the system was infected, otherwise the tool would not work correctly.
Update with version 1.0.1: You will now get an error message if you have added 2 encrypted or 2 decrypted files as "Locked file" and "Original file".
- Avira Professional Security [Windows]
- Avira Free Antivirus [Windows]
- Avira Antivirus Premium 2013 [Windows]
- Avira Antivirus Suite [Windows]
- Avira Internet Security [Windows]
- Avira Professional Security, Version 2012 [Windows]
- Avira Internet Security Suite [Windows]
- Avira Family Protection Suite [Windows]
- Avira Ultimate Protection Suite [Windows]
- Avira Antivirus Premium, Version 2012 [Windows]
- Avira Internet Security, Version 2012 [Windows]
- Created : Friday, April 27, 2012
- Last updated: Monday, October 14, 2013
- Rate this article