Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Encoder.4393

Added to the Dr.Web virus database: 2016-04-20

Virus description added:

SHA1

  • 1125617489218734be30513fc5d822cfe0f865cf – version 1.000, packed
  • 89091aa0258c7e535b6edf348370f66049e84201– version 1.000, unpacked
  • 82d9018f15c1940970ebbae75bea5f403f81300e – version 1.001, packed
  • e3af0112019792f98c803ea1e7684ce2fa365dd5 – version 1.001, unpacked
  • 45d699855bea5d7b02c3de5a7fb95a939a52dd0e – version 2.000, packed
  • df665809dae34d432ef43af7fad19a83463b3853 – version 2.000, unpacked
  • 8f76eb19362a423dde272e7fffdc35cb45cd0401 – version 2.005, packed
  • 5251e88ecf8c6d1ea228ff381af83ec4df41f1aa – version 2.005, unpacked
  • d7ee6eb9d5390b9afbfc50f958dd95f7bb122c1a – version 2.006, packed
  • e4d14bed6861f304127316aa1035c5207553c14f – version 2.006, unpacked
  • a1a0ba3b038113bb9a2c711cdbfb53bc34b519cf – version 2.007, packed
  • 4618eeb1be392b844183a85e6d000721cd364d49– version 2.007, unpacked
  • 04f6f74443e44c32048b3b1522748a5f981ac7ed – version 3.000, unpacked
  • 4205daa502d8e73af4ee14e838513131c1e3de2d – version 3.000, unpacked
  • 1a3532f0bcda543085da49c74c5db4d56532dc67– version 3.002, packed
  • bce18acb9b06f4f676cbdf6445aee1cb5325c3de - version 3.002, unpacked
  • a3097c3685bc0ab9e07774072d0ae3474a897dcb - version 3.100, packed
  • b4c459e986a099d691f970228ddbe2cba13e6cbb - version 3.100, unpacked

A ransomware Trojan for Windows, also known as CryptXXX. It is written in Delphi. Encrypted files are appended with the *.crypt extension (this extension was replaced with *.cryp1 in version 3.100), and files containing cybercriminals' demands are named as de_crypt_readme.txt, de_crypt_readme.html, and de_crypt_readme.png. The Trojan connects to the C&C server using port 443 via HTTPS. However, Trojan.Encoder.4393 uses its own protocol. It also has several modifications. Files encrypted with some of them can be decrypted.

The Trojan consists of a dynamic library with several exports. Once the library is loaded, the DllMain function is called. It unpacks the payload that is also in the form of dynamic library. Then the program checks which process run the Trojan. If the name of the process is not Rundll32, the Trojan launches itself via Rundll32 and names the procedure as Working. If the name of the process is Rundll32, it reloads the library with the input point in AccessToken. To control its relaunching, the Trojan uses a special file created in the %CommonAppData% directory.

Trojans of versions 1.000, 1.001, and 2.000 encrypt files with RC4. The Trojan receives the key from the server. Other versions use a combination of the RC4 and RSA algorithms. To get a unique identifier of the computer, the malicious program retrieves values of the following system registry branches:

  [HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\Identifier]
  [HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString]
  [HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVendor]
  [HARDWARE\\DESCRIPTION\\System\\Identifier]

The obtained data is combined with the hard drive serial number and is encrypted with MD5.

The Trojan of version 2.006 differs from its counterparts. For instance, it terminates itself if it detects such processes as AVP.EXE or EGUI.EXE. If the Trojan is not launched with the svchost.exe process, it copies the rundll32.exe file to its folder under the name of svchost.exe and launches this copy. Then the original file is closed. If the Trojan is launched from the svchost.exe process, it scans the system for the reinfection checking for the presence of the %CommonAppData%\Z file. If the file is detected, the Trojan stops its own operation; if not, the Trojan creates this file. Also this version has a different algorithm of computer ID generation.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android