Yet Another Ransomware
Another ransomware found in the wild called DMA Locker.Seems these are popular and gaining in frequency of appearance. The ability for these infections to extort money quickly is more effective than one may think. How much would you pay to get your data back? Ransomware remains a very lucrative business for its operators. The only way of recovering files is to pay the ransom assuming no backup is available.
The Trojan uses the following PDF icon:
The Trojan drops the following files to the filesystem:
%ALLUSERSPROFILE%\cryptinfo.txt (encrypted file)
%ALLUSERSPROFILE%\select.bat (encrypted file)
%ALLUSERSPROFILE%\svchosd.exe [Detected as GAV: DMALocker.D (Trojan)]
%USERPROFILE%\Start Menu\Programs\Startup\x.vbs (encrypted file)
The Trojan adds the following keys to the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Firewall “%ALLUSERSPROFILE%\svchosd.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update “%ALLUSERSPROFILE%\select.bat”
The Trojan can be seen running in the process list:
The bot ID and RSA Public Key are stored in the registry:
HKEY_CURRENT_USER\Software dma_id “111E7723E0A34AD3815C0D8A85327F54”
HKEY_CURRENT_USER\Software dma_public_key hex:2d,2d,2d,2d,2d,42,45,47,49,4e,20,50,55,42,4c,49,43….
The following ransom information is displayed on the screen of the infected machine:
Currently up-to-date Firewall Routers with Built-in protection that we help install Will help with Gateway AntiVirus that provides protection against this threat .
We’d hate to see your computer network compromised. Here at Queen City Business Networks we’re hear to help keep you protected and informed about the latest issues. Your peace of mind and business function is important to Us.
Original Posting by sonicalert. Here.
George J. Gingras <><
MA-IS,MCP,MCSA,MCDBA,MCSE
Senior Network Engineer
Queen City Business Networks, LLC.
859-525-9898 – Office
Using What We Know To Help Your Business Grow