Ransom-M

Upon execution Trojan Ransom-M changes the wallpaper of the desktop with the following wallpaper as shown below:

The wallpaper contains a message informing the user that the system is infected with Lorobot and to recover the files the user has to email to the specified email address mentioned in the wallpaper and pay 100$ to the attacker inorder to obtain the decryption file.

Trojan then encrypts all the files in the user's system which are of the following file formats .zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc .After modifying all the files a text pop up appears as shown below:

The Trojan adds the following files:

C:\xxxx.txt
C:\WINDOWS\CryptLogFile.txt
C:\Documents and Settings\<USERNAME>\Local Settings\Temp\wallpaper.bmp

CryptLogFile.txt contains the list of modified files in the system by the Trojan as below:

C:\Adobe Reader 9 Installer\Folder.jpg
C:\Tools\API Monitor.rar
C:\Tools\Dede\DSF\DeDe_SDK.rtf
C:\WINDOWS\SHELLNEW\EXCEL12.XLSX
C:\Program Files\Windows Media Player\npdrmv2.zip
C:\Documents and Settings\All Users\Application Data\SiteAdvisor\guid.txt
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Internet Explorer\brndlog.txt
C:\Documents and Settings\<USERNAME>\Cookies\<USERNAME>@atdmt[1].txt
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\IconCache.db
C:\Documents and Settings\<USERNAME>\Templates\winword.doc
C:\Documents and Settings\<USERNAME>\Templates\excel.xls

• Presence of the above mentioned characteristics.
• Presence of the above mentioned files

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.