Win32/Bogoj [Threat Name] go to Threat

Win32/Bogoj.B [Threat Variant Name]

Category worm
Size 357712 B
Detection created Nov 27, 2008
Detection database version 3645
Aliases Trojan-Ransom.Win32.VB.a (Kaspersky)
  W32.Randsom.A (Symantec)
  Ransom.trojan (McAfee)
Short description

Win32/Bogoj.B is a worm that spreads via removable media. The file is run-time compressed using Astrum SFX .

Installation

When executed, the worm drops one of the following files in the %windir% folder:

  • lsass.exe (77824 B)
  • nerodigit16.inf (20480 B)
  • services.exe (53248 B)
  • uninstlv16.exe (32768 B)

The following file is dropped into the %temp% folder:

  • errir.exe (20480 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{%variable%}]
    • "StubPath" = "%windir%\­uninstlv16.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­torn.exe\­torn]
    • "Directory" = "%program_files%\­torn"
    • "Version" = "1.00"
    • "Uninstaller" = "%windir%\­torn uninstaller.exe"

The worm displays a fake error message:

Spreading on removable media

The worm creates the following folders:

  • %drive%\­tg_root

The following file is dropped in the same folder:

  • uninstall.exe

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/Bogoj.B is a worm that steals passwords and other sensitive information.


The data is saved in the following file:

  • %userprofile%\­feedback.html

The worm is able to log keystrokes.


The worm can send the information to a remote machine.


The worm contains a list of (1) URLs. The HTTP protocol is used.

Other information

The worm encrypts files on local disks.


The extension of the encrypted files is changed to:

  • .xnc

The worm deletes the original file.


It avoids files which contain any of the following strings in their path:

  • \­%windir%\­
  • \­Program Files\­
  • \­Boot\­
  • \­ProgramData\­Microsoft\­
  • \­Users\­All Users\­Microsoft\­

It avoids files with the following extensions:

  • .ini
  • .sys
  • .dll
  • .log
  • .com
  • .bat
  • .cab
  • .lnk
  • .xnc
  • .reg

When searching the drives, the worm creates the following file in every folder visited:

  • read this.txt

It contains the following text:

  • Hello,
  • As you probably already noticed, your files on this Pc/laptop are encrypted.
  • That means you cant use them before you decrypt them.
  • Decrypthing these files without password and proper software is impossible.
  • Im the only person in the world who has password and software you need to decrypt your files.
  • If you want to get ALL your files back to normal, that is,
  • decrypt them, youll have to buy decryptor. To buy decrypting tool contact me at: brandos87@yahoo.com or brandos87@gmail.com
  • Ill reply within hour or two, and you can have your files back within few minutes after that.
  • Price for decryptor and password is low, so anyone affectet by my encryptor could afford buying it.
  • Ill also help you delete my encryptor, that you installed on this machine without realizing that.
  • Also note that most of your private informations is collected and sent to me.
  • In case you dont contact me, Ill sell your private informations data (like email account logins, credit card numbers, paypal account logins, etc).
  • In case you do contact me and we reach agreement, Ill also remove spying tool from your machine,
  • and your private informations will be destroyed from my system.
  • IMPORTANT:
  • If you want to get your data back, do not remove or install anything on this machine from now on, until you decrypt
  • all your files.
  • As I told you already, Ill reply in shortest possible time, most probably minutes, or in worst case few hours after you send me your message.
  • Im sorry for trouble I caused you, but this is mostly your fault :) .
  • I hope we will solve your computer problem, and Im looking for friendly relationship with you.
  • Please be smart :=)
  • Good day.

The worm creates the following files:

  • %windir%\­javainstal5.log

Please enable Javascript to ensure correct displaying of this content and refresh this page.