Library
My library

+ Add to library

Profile

Trojan.Encoder.6491

Added to the Dr.Web virus database: 2016-10-10

Virus description added:

SHA1:

  • 3218c04576b08ed65530086a41659b51902fce51

A ransomware Trojan written in Go. Once launched, it performs the following actions:

  1. Determines the name of its executable file and checks whether it matches the name “Windows_Security.exe”. If it does, the Trojan goes to the step 6.
  2. Removes the folder %APPDATA%\Windows_Update.
  3. Creates the folder %APPDATA%\Windows_Update.
  4. Copies itself to the %APPDATA%\Windows_Update folder under the name Windows_Security.exe.
  5. Removes the original executable file and runs %APPDATA%\Windows_Update\Windows_Security.exe. The source process is then terminated.
  6. If the folder, from which the Trojan was launched, is not named Windows_Update, the Trojan terminates the installation.
  7. The Trojan executes the command
    REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Windows-Defender /t REG_SZ /F /D %APPDATA%\Windows_Update\Windows_Security.exe
  8. The Trojan executes the following commands (strings are encrypted with Base64):
    attrib +H +S %APPDATA%\\Windows_Update\\
    attrib +H +S %APPDATA%\\Windows_Update\\Windows_Security.exe
     
  9. Copies itself under the name %TEMP%\\Windows_Security.exe to the temporary folder and terminates itself.

The encryption is performed by the Trojan’s process launched from the folder %TEMP%. Before quitting the installation, one more function is executed:

.text:00000000004021E0 main_BypassAV   proc near               ; CODE XREF: main_Install:loc_401F02p
.text:00000000004021E0                                         ; main_BypassAV+38j
.text:00000000004021E0                 mov     rcx, gs:28h
.text:00000000004021E9                 mov     rcx, [rcx+0]
.text:00000000004021F0                 cmp     rsp, [rcx+10h]
.text:00000000004021F4                 jbe     short loc_402213
.text:00000000004021F6                 call    main_LongLoop
.text:00000000004021FB                 mov     rax, cs:some_counter
.text:0000000000402202                 add     rax, 0Bh
.text:0000000000402206                 mov     cs:some_counter, rax
.text:000000000040220D                 call    main_CheckDebugger <- calls isDebuggerPresent
.text:0000000000402212                 retn
.text:0000000000402213 ; ---------------------------------------------------------------------------
.text:0000000000402213
.text:0000000000402213 loc_402213:                             ; CODE XREF: main_BypassAV+14j
.text:0000000000402213                 call    runtime_morestack_noctxt
.text:0000000000402218                 jmp     short main_BypassAV
.text:0000000000402218 main_BypassAV   endp

When the Trojan is installed, it executes the following command:

"vssadmin.exe Delete Shadows /All /Quiet"
The Trojan then requests the following values:
HKLM\Software\\Policis\\done
HKCU\Software\\Policis\\done

If one of these parameters has the value True, the encryption will not be performed. The Trojan then generates an encryption key and starts encrypting files:

.text:0000000000402403 loc_402403:                             ; CODE XREF: main_main+17Bj
.text:0000000000402403                 mov     byte ptr [rsp], 1
.text:0000000000402407                 call    main_EncryptExternalDrives
.text:000000000040240C                 lea     rax, aC         ; "C:\\"
.text:0000000000402413                 mov     [rsp], rax
.text:0000000000402417                 mov     qword ptr [rsp+8], 3
.text:0000000000402420                 mov     byte ptr [rsp+10h], 1
.text:0000000000402425                 call    main_EncryptDocumets
.text:000000000040242A                 call    main_WriteRegDone
.text:000000000040242F                 call    main_PromtPay
.text:0000000000402434                 call    main_ListenForPayment
.text:0000000000402439                 mov     rbp, [rsp+78h]
.text:000000000040243E                 add     rsp, 80h
.text:0000000000402445                 retn

The main_WriteRegDone function records values, which were obtained after the keys of the registries HKLM\Software\\Policis\\done and HKCU\Software\\Policis\\done were checked, to the system registry.

The EncryptDocumets function looks as follows:

.text:0000000000401040 main_EncryptDocumets proc near          ; CODE XREF: main_EncryptDocumets+86j
.text:0000000000401040                                         ; main_main+145p ...
.text:0000000000401040
.text:0000000000401040 var_30          = qword ptr -30h
.text:0000000000401040 var_28          = qword ptr -28h
.text:0000000000401040 var_20          = qword ptr -20h
.text:0000000000401040 var_8           = qword ptr -8
.text:0000000000401040 arg_0           = qword ptr  8
.text:0000000000401040 arg_8           = qword ptr  10h
.text:0000000000401040 arg_10          = byte ptr  18h
.text:0000000000401040
.text:0000000000401040                 mov     rcx, gs:28h
.text:0000000000401049                 mov     rcx, [rcx+0]
.text:0000000000401050                 cmp     rsp, [rcx+10h]
.text:0000000000401054                 jbe     short loc_4010C1
.text:0000000000401056                 sub     rsp, 30h
.text:000000000040105A                 mov     [rsp+30h+var_8], rbp
.text:000000000040105F                 lea     rbp, [rsp+30h+var_8]
.text:0000000000401064                 movzx   eax, [rsp+30h+arg_10]
.text:0000000000401069                 test    al, al
.text:000000000040106B                 jz      short loc_40109B
.text:000000000040106D                 mov     rax, [rsp+30h+arg_0]
.text:0000000000401072                 mov     [rsp], rax
.text:0000000000401076                 mov     rax, [rsp+30h+arg_8]
.text:000000000040107B                 mov     [rsp+8], rax
.text:0000000000401080                 lea     rax, encrypt
.text:0000000000401087                 mov     [rsp+10h], rax
.text:000000000040108C                 call    path_filepath_Walk
.text:0000000000401091
.text:0000000000401091 loc_401091:                             ; CODE XREF: main_EncryptDocumets+7Fj
.text:0000000000401091                 mov     rbp, [rsp+30h+var_8]
.text:0000000000401096                 add     rsp, 30h
.text:000000000040109A                 retn
.text:000000000040109B ; ---------------------------------------------------------------------------
.text:000000000040109B
.text:000000000040109B loc_40109B:                             ; CODE XREF: main_EncryptDocumets+2Bj
.text:000000000040109B                 mov     rax, [rsp+30h+arg_0]
.text:00000000004010A0                 mov     [rsp], rax
.text:00000000004010A4                 mov     rax, [rsp+30h+arg_8]
.text:00000000004010A9                 mov     [rsp+8], rax
.text:00000000004010AE                 lea     rax, decrypt
.text:00000000004010B5                 mov     [rsp+10h], rax
.text:00000000004010BA                 call    path_filepath_Walk
.text:00000000004010BF                 jmp     short loc_401091
.text:00000000004010C1 ; ---------------------------------------------------------------------------
.text:00000000004010C1
.text:00000000004010C1 loc_4010C1:                             ; CODE XREF: main_EncryptDocumets+14j
.text:00000000004010C1                 call    runtime_morestack_noctxt
.text:00000000004010C6                 jmp     main_EncryptDocumets

The arg10 argument specifies whether the function performs encryption or decryption.

The Go standard function named path_filepath_Walk calls a handler for every file:

.text:0000000000684058 decrypt         dq offset main_VisitD   ; DATA XREF: main_EncryptDocumets+6Eo
.text:0000000000684060 encrypt         dq offset main_Visit    ; DATA XREF: main_EncryptDocumets+40

The main_Visit function checks a filename for the presence of the following strings:

tmp
winnt
Application Data
AppData
Program Files (x86)
Program Files
temp
thumbs.db
Recycle.Bin
System Volume Information
Boot
Windows
.enc
Instructions
Windows_Security.exe

If they are present, files are not encrypted. The Trojan encrypts 140 different types of files, depending on their extensions. Trojan.Encoder.6491 encrypts original file names with the Base64 method and appends the compromised files with the .enc extension.

The Trojan then saves the file with cybercriminals’ demands under the name %USERPROFILE%\\Desktop\\Instructions.html, opens it in a browser window, and executes the following command:

msg * All your files have been encrypted, read the note in your Desktop

The main_ListenForPayment function checks the Bitcoin e-wallet by requesting the web page

http://btc.blockr.io/api/v1/address/info/1Bww**************Yph9SxP

An example of the C&C server’s reply:

{"status":"success","data":{"address":"1Bww**************Yph9SxP ","is_unknown":true,"balance":0,"balance_multisig":0,"totalreceived":0,"nb_txs":0,"first_tx":null,"last_tx":null,"is_valid":true},"code":200,"message":""}

The server’s reply received in the Json format is then saved to a special structure. These requests are sent in specified intervals. If the Trojan detects that the e-wallet balance is refilled, it automatically decrypts all compromised files using a special internal function.

Files compromised by this Trojan can be decrypted.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android