Subscribe0
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
- If your files remain encrypted after scanning with Kaspersky Anti-Virus, please send a sample file to our Virus Lab (newvirus@kaspersky.com).
This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 61 440 bytes in size, packed using UPX. The unpacked file is approximately 135KB in size.
Once launched, the virus encrypts files with the following extensions:
3ds 3dx acd ace ai arc arh arj c cdr cgi chm cnt cpp css csv db db1 db2 dbf dbt dbx dic doc dsc dwg dxf eps fax fla flb frm frt frx gtd gz gzip h ha htm html jar key kwm lst lzh ma man mar mdb mmf mo old p12 pak pdf pem pfx pgp pl ppt prf prx ps pst pwa pwl pwm rar rle rmr rnd rtf safe sar sig sln swf tar tbb tex tga txt xcr xls xml zip zoo
The virus partially uses the RSA 67 bit algorithm to encrypt files.
Files encrypted by the virus cannot be used. The malicious user will then demand money for decrypting the files.
The virus creates a file called ‘readme.txt’ in folders which contain encrypted files. 'Readme.txt' contains the following message:
Some files are coded by RSA method. To buy decoder mail: w*****44@mail.ru with subject: RSA 5 ********507363108091The email address used may differ from variant to variant.
If the user makes contact via the email address in the message, s/he will be asked to pay a certain sum in return for the encrypted files being decrypted.
Kaspersky Lab reminds Internet users to be extremely cautious with potentially suspicious messages from unknown users and with files from unknown sources.
In addition to this, no money should be paid, as this will motivate the authors of this malicious program to create new variants.
Once the virus has encrypted files, it creates a file called TMP.BAT. This file contains code which will delete the source code of the malicious program.
Removal instructions
Hot Articles