Virus:Worm/BackNine
Date discovered:09/03/2007
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium to high
Static file:Yes
File size:20.992 Bytes
MD5 checksum:000B5aea832ad9e266b0abe8ac0B757e
VDF version:6.38.00.23 - Friday, March 9, 2007
IVDF version:6.38.00.23 - Friday, March 9, 2007

 General Aliases:
   •  Kaspersky: Trojan.Win32.Crypt.ab
   •  F-Secure: Trojan.Win32.Crypt.ab
   •  Bitdefender: Trojan.Ransom.B


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following locations:
   • %SYSDIR%\recovery.exe
   • %SYSDIR%\kkk.exe


Encryption:
It creates new files which are encrypted copies of the found files.

The following directory is searched:
   • %all directories%

The archives filename is the same as the original file bound with the archives file extension.

The archives filename is the following:
   • *.rwg



The following file is created:

%SYSDIR%\RansomWar.txt This is a non malicious text file with the following content:
   • Dear user,
      some of your files have been encrypted using a quite strong system.
     Now you are scared but I will not ask you for money.
     If you want to get back your files you can do following:
     1) Contact a good antivirus-company that will decrypt them for you
     2) You can send an email to **********@yahoo.com requesting a decryptor program
     3) You can launch your PC trought the window or use a better OS (like linux) :)
     
      RansomWar by [WarGame,eof]

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • run = %SYSDIR%\recovery.exe

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send a reply to emails stored in the inbox. The characteristics are further described:


From:
The sender address is the user's Outlook account.


Email design:
 


Subject: You are a very lucky man, read this mail!
Body:
   • Hi, you won a big amount of money!!! If you want to know more look at the attachment!
Attachment:
   • BigCashForYou.exe



The email looks like the following:


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Tuesday, May 15, 2007
Description updated by Andrei Gherman on Tuesday, May 15, 2007

Back . . . .