Virus:TR/Ransom.A.1
Date discovered:26/04/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
VDF version:6.34.01.12

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Ransom.a
   •  TrendMicro: TROJ_RANSOM.A
   •  Sophos: Troj/Ransom-A

It was previously detected as:
   •  TR/Ransom.A


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files


Right after execution the following information is displayed:




The pictures have been edited for display purpose.

 Files The following files are created:

%malware execution directory%\004.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\005.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\006.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\007.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\008.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\009.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\svchost.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\data3.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.1

%malware execution directory%\data2.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.2

%malware execution directory%\data4.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Ransom.A.3

%malware execution directory%\dat1.bat
%SYSDIR%\wpd.exe Detected as: TR/Ransom.A.1

%SYSDIR%\ShudownUtility.exe

 Registry The following registry key is added:

– [HKCU\Software\OZ Development\Applications\002.exe\Win1]
   • "x"=dword:00000008
   • "y"=dword:00000000
   • "width"=dword:000003f0
   • "height"=dword:0000030c
   • "zoomed"=dword:00000000

Description inserted by Andrei Ivanes on Tuesday, May 2, 2006
Description updated by Andrei Ivanes on Tuesday, May 2, 2006

Back . . . .