%UserProfile%\Local Settings\Application Data\Facebook\[random name].exe
%ProgramFiles%\MSN GAMING ZONE\[random name].exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\programs\startup\[random name].exe
%UserProfile%\AppData\Local\{51541F38-A835-42DE-A0D9-44CFF196937F}\[random name].exe
Size: 429568 byte
MD5: c99f8dec0cef7c8e4596f2e2f4e10588
%UserProfile%\AppData\Roaming\Dirty\DirtyDecrypt.exe
Size: 24576 byte
MD5: 1d27a7210f54a047264f23c7506e9506
Based upon the OS version, the trojan could copy itself into these locations:
C:\Program Files\Dirty\DirtyDecrypt.exe
C:\Program Files (x86)\Dirty\DirtyDecrypt.exe
C:\Users\[YOUR USER]\AppData\Roaming\Dirty\DirtyDecrypt.exe
C:\Documents and Settings\[YOUR USER]\Application Data\Dirty\DirtyDecrypt.exe
C:\Documents and Settings\[YOUR USER]\Local Settings\Application Data\Dirty\DirtyDecrypt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[random name] = %UserProfile%\Impostazioni locali\Dati applicazioni\Facebook\[random name].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Userinit] = c:\windows\system32\userinit.exe,%ProgramFiles%\MSN GAMING ZONE\[nome casuale].exe
It is also executed by the start menu:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\programs\startup\[nome casuale].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[DirtyDecrypt] = "%UserProfile%\AppData\Roaming\Dirty\DirtyDecrypt.exe\" \hide
This trojan edits some registry keys to disable these services:
- wscsvc, Action center in Windows Vista, 7, 8
- wuauserv, Windows' automatic updates
After approximately 5 minutes after the execution of the virus, a full-screen borderless window showing a
Police announcement appears and blocks the PC.
The
Trojan.Win32.DirtyDecrypt.A crypt the following document formats with the RSA crypt system:
- 7z
- avi
- doc
- docm
- docx
- jpeg
|
|
- rtf
- wmv
- xls
- xlsm
- xlsx
- zip
|
Example of a crypted image:
Example of a crypted RTF document:
If executed,
Trojan.Win32.DirtyDecrypt.B shows the following window:
To decrypt the crypted files the ransomware asks for the following amount of money, based on the chosen currency:
Possible payments methods shown are:
- Ukash
- PaySafeCard
- MoneyPak
The
Trojan.Win32.DirtyDecrypt.A use the following domain (located in Amsterdam) to handle the payment request:
viweabkkfe.com
Clean:
Trojan.Win32.DirtyDecrypt.A is removed by
VirIT eXplorer since version 7.4.48.
The first version of the malware had been exploited, so that you could decrypt files without paying the ransome.
Unfortunately
the exploit was corrected from the malware's creators so it is not possible to get the files back anymore.
For some kind of files it's still possible to get back a part of them, although it is very likely to loose the file by corrupting it.
Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft