Win32/Trustezeb [Threat Name] go to Threat
Win32/Trustezeb.A [Threat Variant Name]
Available cleaner [Download Trustezeb.A Decryptor ]
| Category | trojan |
| Size | 77312 B |
| Aliases | Trojan:Win32/Matsnu (Microsoft) |
| Trojan.Ransomlock.P (Symantec) | |
| Trojan.Injector.ADI (BitDefender) |
Short description
Win32/Trustezeb.A is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself in some of the the following locations:
- %system%\%variable1%.exe
- %appdata%\%variable2%\%variable3%.exe
- %appdata%\Realtec\Realtecdriver.exe
- %temp%\%variable4%.pre
- %temp%\%variable5%.exe
A string with variable content is used instead of %variable1-5% .
The trojan creates the following files:
- %programfiles%\Trusteer\Rapport\bin\RapportService.exe (18944 B)
- %system%\RPService.exe (18944 B)
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "userinit" = "%system%\userinit.exe,%system%\%variable1%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%temp%\%variable5%.exe,"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eze]
- "(Default)" = "MyEze.1"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyEze.1\shell\open\command]
- "(Default)" = "%System%\RPService.exe %0 %1 %2"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe]
- "Debugger" = "RPService.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe]
- "Debugger" = "RPService.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup-Full.exe]
- "Debugger" = "RPXService.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup.exe]
- "Debugger" = "RPXService.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
- "DisableRegedit" = 1
- "DisableRegistryTools" = 1
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
- "Debugger" = "P9KDMF.EXE"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
- "Debugger" = "P9KDMF.EXE"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
- "Debugger" = "P9KDMF.EXE"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%diskserialnumber%" = "%appdata%\%variable2%\%variable3%.exe"
- "Realtecdriver" = "%appdata%\Realtec\Realtecdriver.exe"
The following Registry entry is deleted:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
The trojan creates and runs a new thread with its own program code within the following processes:
- svchost.exe
After the installation is complete, the trojan deletes the original executable file.
Payload information
Win32/Trustezeb.A is a trojan that encrypts files on local drives.
The trojan searches local drives for files with the following file extensions:
- *.*
It avoids files which contain any of the following strings in their path:
- %windir%
- %userprofile%
- %volumeserialnumber%
- Program
- Application
- temp
- tmp
- Recycled
- $
- cache
- Cookies
- Desk.$00
- .sys
- .lnk
- .com
- .bin
- .ini
- .sys
- .dat
- .bat
- .pif
- .inf
- ntldr
- ntdetect
- bootmgr
- osloader
- winload
- pagefile
- winsh
When the trojan finds a file matching the search criteria, it creates its duplicate.
The file name and extension of the newly created file is derived from the original one.
The following string is prepended: "locked-" . An additional "%variable%" extension is appended.
A string with variable content is used instead of %variable% .
The trojan encrypts the file content.
The trojan then deletes found files.
The trojan displays the following dialog boxes:
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Information stealing
The following information is collected:
- disk serial number (without spaces)
- paths of encrypted files
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan may display the following message:
The trojan acquires data and commands from a remote computer or the Internet.
The HTTP, HTTPS, FTP protocol is used in the communication. The trojan contains a list of (4) URLs.
The trojan may execute the following commands:
- update itself to a newer version
- lock/unlock access to the operating system
- download files from a remote computer and/or the Internet
- run executable files
- encrypt selected files
- decrypt selected files
- delete folders
- delete files
The trojan may execute the following commands:
- extrac32.exe /A /E /Y "%system%\%variable%.cab" /L "%system%"
The trojan may perform operating system restart.