Avira Virus Lab

‹ Back

TR/Ransom.ME.12

Summary
  • Name
    TR/Ransom.ME.12
  • Date discovered
    Jun 27, 2017
  • VDF version
    7.14.14.180 (2017-06-27 18:42)
Description

Encrypts the following file types: .3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

The term 'TR' denotes a trojan horse that is able to spy out data, violate your privacy, or perform unwanted modifications to the system.

  • VDF
    7.14.14.180 (2017-06-27 18:42)
  • Aliases
    Avast: Win32:Malware-gen
    Dr. Web: Trojan.Encoder.12544
    ESET: Win32/Diskcoder.C trojan
    G Data: Trojan.Ransom.GoldenEye.B
    Kaspersky Lab: Trojan-Ransom.Win32.PetrWrap.d
    Microsoft: Ransom:Win32/Petya
  • Files
    The following files are changed:
    • %Temp%\<random>.tmp
    • \Device\Harddisk0\DR0
    • C:\Windows\perfc.dat
    • C:\Windows\dllhost.dat
  • Injections
    • %Temp%\<randomname>.tmp -> lsass.exe
  • Screenshots