Belongs to the family of ransomware programs that encrypt files and demand a ransom for their recovery. Written in Delphi, it uses no packers.
When launched, it determines its full file name. If it is different from C:\Program Files\Internet Explorer\lass.exe, it uses a bat-file to copy itself to the specified location. Then it modifies the registry branch HKLM\Software\Microsoft\Windows\CurrentVersion\Run, launches the copied file and ends the parent process.
The malware searches for the file C:\Program Files\Internet Explorer\finish.lass.html. IF the file is found, the Trojan uses a bat-file to remove itself. It creates the file C:\Program Files\Internet Explorer\index.bat and adds its entry into the registry branch, that is responsible for launching applications automatically Then it extracts and loads the file C:\Program Files\Internet Explorer\finish.lass.html in full-screen mode in the Internet Explorer.
It generates a list of files found on available hard drives in accordance with its embedded catalogue of file extensions and encrypts the files on the list. It leaves files found in Windows, RECYCLER and Program Files directories intact. The following additional extensions are appended to encrypted files: *.firstname.lastname@example.org (_id567), *.relock@qq_com, * .crypto, *.pizda@qq_com, *.kozel@qq_com, *.nalog@qq_com, *.chifrator@gmail_com, *.gruzin@qq_com, *.troyancoder@gmail_com, *.coderksu@gmail_com_id* . The ransomware uses AES encryption.