Thank you Steven for droper.
=>> Quick analysis::
Malware creates the HKLM.…\Run key for loading his malware file located here: C:\Windows\elekilus.exe. This one here is malware loading point.
To kill this malware, you’ll need to delete the loading point (Run key) and related file and running module. At that point, malware is inactive but you still see the active (harmless) leftovers. E.g loaded .jpg file on desktop, varius .ini files droped on system …etc
Create File C:\Windows\elekilus.exe
Set Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ikibepdm
As additionaly, malware create varius configuration keys:
Create Key HKEY_CURRENT_USER\Software\[b]Bit Torrent Application[/b]
Create Key HKEY_CURRENT_USER\Software\Bit Torrent Application\[b]Configuration[/b]
Set Value HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\0*000000 ([b]*[/b] = random_number)
[i]- II - x ~3, 4 additional keys[/i]
It create “PLEASE_READ.inf” file in most (if not all) %path% as for example:
17:10:08 Create File C:\Users\Magna\Desktop\E\PLEASE_READ.inf
17:10:08 Create File C:\Program Files\Common Files\VMware\Drivers\pvscsi\PLEASE_READ.inf
17:10:09 Create File C:\Program Files\Java\jre7\bin\server\PLEASE_READ.inf
17:10:11 Create File C:\Program Files\K-Lite Codec Pack x64\Filters\LAV\PLEASE_READ.inf
17:10:12 Create File C:\Program Files\Microsoft Games\Chess\en-US\PLEASE_READ.inf
17:10:16 Create File C:\Program Files (x86)\AIMP3\Modules\PLEASE_READ.inf
17:10:21 Create File C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\default_apps\PLEASE_READ.inf
17:10:42 Create File C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\PLEASE_READ.inf
17:10:45 Create File C:\Program Files (x86)\Notepad++\user.manual\sites\all\modules\fancy_login\scripts\PLEASE_READ.inf
17:10:49 Create File C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ms\PLEASE_READ.inf
…etc
.ini file contents:
Hello,
I am an IT specialist, I research system vulnerabilities and make profit by selling them. I have found one vulnerability in your system and hacked it. I have copied all valuable data from this PC and from your computer network. Then I have encrypted the files and if you are willing to decrypt them you need to buy a decryption key from me. Here is my contact:
e-mail: it-spec@mail.ua
You have 3 days to purchase the decryption key, otherwise some of your sensitive data may be published on the internet and your system will not get decrypted.
Information for IT specialists:
-
Anti-virus will delete encryption program but will not decrypt the data. Using system restore point will not help you to recover the data.
-
Data was encrypted with AES (Rijndael) algorithm (256 bit). Encryption key was encrypted with RSA (2048 bit) algorithm. This is extremely secure cryptography technique, around 1000 year time period will be required to break it, so do not try to do it.
---- Encrypted Session Key Begin ----
7A2E83B2C40E25DAE3C77762184EF58D3D19FA60E979B7B4932E867084E731C926868E080B9DDEFADEF0DE8B0C7EB1A9910C112AE56362E1DFB5BABC9F971F37ED72E59A6421B51D043B7AD339D4598166E1590FBF8B93D0D7F2C178385F9F2B59A9420F84F7E7416E3E6F44B704B400443D90557B0517657903E82D5823CABD3CECF79DCCA65E040376DF64E55DB6F4D2A4425CDC4DC8D75B0BB8CFB4A9607C7810C2C2B09F101348EB190586970838438435B54DDCE46B9D6CA52D70E9BFEB95962491159D160025A9328AA35A60415A6AD685DFC9B2A167CC175BD9F4A7BB5F1C771CC30F611049C3875FE52679A4ADA40C5B6729A8A283C4B9CFC824BF6F
---- Encrypted Session Key End ----
It creates files in %temp%:
17:11:27 Create File C:\Users\Magna\AppData\Local\Temp\CabD71D.tmp < -- this is folder
17:11:27 Create File C:\Users\Magna\AppData\Local\Temp\TarD71E.tmp <-- this is folder
It creates one htm file:
Create File C:\Users\Magna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6LKK4X\gate-uk[1].htm
Other created files:
Create File C:\ProgramData\icodukalemem.jpg < --- this is what you actually see on your desktop
=======================================================
FRST sees the malware and shows the following:
==================== Processes (Whitelisted) =================
() C:\Users\Magna\Desktop\E\virussign.com_256bb50af06d5d4dc5dba73a5991e410.vir\virus.exe.exe
==================== Registry (Whitelisted) ==================
HKLM.…\Run: [ikibepdm] - C:\Windows\elekilus.exe [341504 2014-03-10] ()
==================== Drivers (Whitelisted) ====================
U3 uxroifog; ??\C:\Users\Magna\AppData\Local\Temp\uxroifog.sys
Created Files:
2014-03-10 17:10 - 2014-03-10 17:10 - 00341504 _____ () C:\Windows\elekilus.exe
Modified Files:
2014-03-10 17:11 - 2013-03-30 21:08 - 01134854 ____H () C:\Users\Radna_Stanica\AppData\Local\IconCache.db.encrypted
2014-03-10 17:11 - 2013-03-30 18:42 - 00778714 ____H () C:\Users\User\AppData\Local\IconCache.db.encrypted
2014-03-10 17:11 - 2013-03-30 18:35 - 00057560 _____ () C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT.encrypted
2014-03-10 17:11 - 2013-03-30 18:22 - 00082316 _____ () C:\Users\Magna\Documents\wallpaper-499261.jpg.encrypted
2014-03-10 17:11 - 2013-03-30 18:21 - 00082316 _____ () C:\Users\Administrator\Documents\wallpaper-499261.jpg.encrypted
2014-03-10 17:11 - 2013-03-30 18:18 - 00248259 _____ () C:\Users\Administrator\Documents\tweakslogon.zip.encrypted
2014-03-10 17:11 - 2013-03-30 18:18 - 00170151 _____ () C:\Users\Administrator\Documents\reWalls.com_84.jpg.encrypted
2014-03-10 17:11 - 2013-03-30 18:06 - 00248259 _____ () C:\Users\Magna\Documents\tweakslogon.zip.encrypted
2014-03-10 17:11 - 2013-03-30 15:46 - 00170151 _____ () C:\Users\Magna\Documents\reWalls.com_84.jpg.encrypted
014-03-10 17:10 - 2013-03-30 18:29 - 01330546 ____H () C:\Users\Administrator\AppData\Local\IconCache.db.encrypted
2014-03-10 17:10 - 2013-03-30 18:18 - 00057560 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT.encrypted
// I don’t know why this malware adds the “.encrypted” extension right to these files but it does. My guesses are that these will be locked after 3 days pass
Running Module:
2014-03-10 17:07 - 2014-03-01 05:37 - 00341504 _____ () C:\Users\Magna\Desktop\E\virussign.com_256bb50af06d5d4dc5dba73a5991e410.vir\virus.exe.exe
Cheers ;D