New German Ransomware (May 25, 2012)


Dell SonicWALL Threats Research team discovered a new German Ransomware Trojan being spammed in the wild. The spammed e-mail contains a fake premium membership order confirmation at a partner agency and informs the user to open the attachment for elite account cancellation policy details. The attachment contains the new Ransomware Trojan. A sample e-mail message looks like below:

Translated e-mail: (Credit: Google Translate)

Subject: Your partner agency order (UserName) No. 809119652

Thank you for your trust (UserName)

You have just ordered at the partner agency, the premium membership. The amount of 557.19 EUR is amortized over the next days of your account. The move made ??by Lugyment AG.

You are now ready for the next 6 months premium member and can use the full size premium options.Please refrain from using the contract information of the supplement, it also contains the invoice data and elite service benefits. If you no longer want the Elite membership, please email the withdrawal, with the attached in the Appendix, attached cancellation policy.

(UserName), we wish you good luck!

Sincerely, Mary Moeller
Support Team

The attached zip file contains the new Ransomware Trojan with an icon disguised as a MS-DOS shortcut file:

If the user opens the file, it will perform following activity on the victim’s machine:

  • It drops multiple copies of itself as:
    • (Application Data)(Random foldername)(Random alphanumeric 20 characters).exe
    • (Windows System)(Random alphanumeric 20 characters).exe
  • Creates a new instance of system program ctfmon.exe and injects it with the malicious code.
  • It modifies the windows registry to ensure that the dropped copies get executed on system reboot and also disables some system tools:
    • HKU(USERID)SoftwareMicrosoftWindowsCurrentVersionRun8A54A84: “(Application Data)Jvreanqxgf16E41E5F08A54A8497CF.exe”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe ,C:WINDOWSsystem32D268837808A54A8476D4.exe,”
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableRegedit: 0x00000001
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr: 0x00000001
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsconfig.exeDebugger: “P9KDMF.EXE”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsregedit.exeDebugger: “P9KDMF.EXE”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionstaskmgr.exeDebugger: “P9KDMF.EXE”
  • Disables the Windows Safe Mode by deleting the relevant registry keys.
  • It communicates with a remote server hosted in Beijing, China to register the infection and receive further instructions. The communication data between the malware and control server is encrypted. Below are some of the requests that we saw in our analysis:

  • Complete list of control server URLs that we found in the code analysis:

  • Complete list of commands that the server can send based on our code analysis:
    • IMAGES
    • GEO
    • LOCK
    • UNLOCK
    • URLS
    • KILL
    • LOAD
    • WAIT
  • The first GET request causes the control server to return a Microsoft CAB file containing images that will be displayed by the Ransomware when it locks the system:

  • The second GET request fetches the Ransomware message in German from the control server.

    Translated Message (Credit: Google Translate)

    Ladies and Gentlemen,
    apparently the update program has been completely disrupted. Now the virus can only be removed manually. This you need to use your files to. So if you need the locked data, please send us 200 euros Ukash code to the email: so soon, this code has been tested, you will receive an update program. If you need your data, we strongly advise you to reformat your computer to completely remove the virus. Ukash can be purchased at any gas station and in several Internet cafes in your area.
    mfG Your Security Team

  • The Ransomware will lock the system with the following image once it receives the LOCK command from the control server asking the user to pay 200 euros:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Ransom.GA (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.