Win32/Trustezeb [Threat Name] go to Threat

Win32/Trustezeb.A [Threat Variant Name]

Available cleaner [Download Trustezeb.A Decryptor ]

Category trojan
Size 77312 B
Detection created Feb 10, 2012
Signature database version 6875
Aliases Trojan:Win32/Matsnu (Microsoft)
  Trojan.Ransomlock.P (Symantec)
  Trojan.Injector.ADI (BitDefender)
Short description

Win32/Trustezeb.A is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %system%\­%variable1%.exe
  • %appdata%\­%variable2%\­%variable3%.exe
  • %appdata%\­Realtec\­Realtecdriver.exe
  • %temp%\­%variable4%.pre
  • %temp%\­%variable5%.exe

A string with variable content is used instead of %variable1-5% .


The trojan creates the following files:

  • %programfiles%\­Trusteer\­Rapport\­bin\­RapportService.exe (18944 B)
  • %system%\­RPService.exe (18944 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "userinit" = "%system%\­userinit.exe,%system%\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%temp%\­%variable5%.exe,"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­.eze]
    • "(Default)" = "MyEze.1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­MyEze.1\­shell\­open\­command]
    • "(Default)" = "%System%\­RPService.exe %0 %1 %2"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportMgmtService.exe]
    • "Debugger" = "RPService.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportService.exe]
    • "Debugger" = "RPService.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportSetup-Full.exe]
    • "Debugger" = "RPXService.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RapportSetup.exe]
    • "Debugger" = "RPXService.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegedit" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­taskmgr.exe]
    • "Debugger" = "P9KDMF.EXE"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msconfig.exe]
    • "Debugger" = "P9KDMF.EXE"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­regedit.exe]
    • "Debugger" = "P9KDMF.EXE"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%diskserialnumber%" = "%appdata%\­%variable2%\­%variable3%.exe"
    • "Realtecdriver" = "%appdata%\­Realtec\­Realtecdriver.exe"

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]

The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe

After the installation is complete, the trojan deletes the original executable file.

Payload information

Win32/Trustezeb.A is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • *.*

It avoids files which contain any of the following strings in their path:

  • %windir%
  • %userprofile%
  • %volumeserialnumber%
  • Program
  • Application
  • temp
  • tmp
  • Recycled
  • $
  • cache
  • Cookies
  • Desk.$00
  • .sys
  • .lnk
  • .com
  • .bin
  • .ini
  • .sys
  • .dat
  • .bat
  • .pif
  • .inf
  • ntldr
  • ntdetect
  • bootmgr
  • osloader
  • winload
  • pagefile
  • winsh

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file name and extension of the newly created file is derived from the original one.


The following string is prepended: "locked-" . An additional "%variable%" extension is appended.


A string with variable content is used instead of %variable% .


The trojan encrypts the file content.


The trojan then deletes found files.


The trojan displays the following dialog boxes:

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Information stealing

The following information is collected:

  • disk serial number (without spaces)
  • paths of encrypted files

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan may display the following message:

The trojan acquires data and commands from a remote computer or the Internet.


The HTTP, HTTPS, FTP protocol is used in the communication. The trojan contains a list of (4) URLs.


The trojan may execute the following commands:

  • update itself to a newer version
  • lock/unlock access to the operating system
  • download files from a remote computer and/or the Internet
  • run executable files
  • encrypt selected files
  • decrypt selected files
  • delete folders
  • delete files

The trojan may execute the following commands:

  • extrac32.exe /A /E /Y "%system%\­%variable%.cab" /L "%system%"

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.