Ransom.MSIL.REDENERGY.THJAOBD

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

新病毒详细信息

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

安装

它植入下列文件：

• %User Temp%\tmp{random}.tmp.bat → terminate itself and delete sample

(注意: %User Temp% 是当前用户的 Temp 文件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)

它添加下列进程：

• %System%\cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
• %System%\cmd.exe /C wbadmin delete catalog -quiet
• takeown /f \"%System%\smartscreen.exe\" /a
• icacls \"%System%\smartscreen.exe\" /reset → takes ownership of the application and resets the Access Control Lists
• taskkill /im smartscreen.exe /f → terminates the application
• icacls \"%System%\smartscreen.exe\" /inheritance:r /remove * S - 1 - 5 - 32 - 544 * S - 1 - 5 - 11 * S - 1 - 5 - 32 - 545 * S - 1 - 5 - 18 → removes permission from the specified security identifier to access smartscreen.exe
• %User Temp%\SystemPropertiesProtection.exe

(注意: %System% 是 Windows 的 system 文件夹，通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。. %User Temp% 是当前用户的 Temp 文件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)

如果在受感染系统的内存中发现下列进程，它将终止自己:

• csfalconservice
• csfalconcontainer
• processhacker
• netstat
• netmon
• tcpview
• wireshark
• filemon
• regmon
• cain
• eguiproxy
• devenv
• ekrn
• rsenginesvc
• fcdblog
• fcappdb
• fortisettings
• fortiesnac
• fortitray
• fsguistarter
• fshoster32

信息窃取

它收集下列数据:

• Username
• System Locale
• List of Antivirus Products
• List of MAC Address
• Hostname

其他详细信息

该程序执行以下操作：

• It sets the attributes of itself to SYSTEM and HIDDEN.
• It terminates itself if the time zone is the following:
  • RU - Russia
  • KZ - Kazakhstan
  • BY - Belarus
  • AM - Armenia
  • AZ - Azerbaijan
  • KG - Kyrgyzstan
  • MD - Moldova
  • TJ - Tajikistan
  • TM - Turkmenitan
  • UZ - Uzbekistan
• It terminates itself if the language of the affected machine is the following:
  • Ukrainian
  • Belarusian
  • Azerbaijani
  • Armenian
  • Georgian
  • Uzbek
  • Russian
  • Kazakh
• It terminates itself if the following network monitoring tools were found in the system:
  • HTTPDebuggerBrowser.dll
  • FiddlerCore4.dll
  • RestSharp.dll
  • Titanium.Web.Proxy.dll
• It checks for the presence of a debugger
• It checks if the sample is running in a 64-bit environment.
• It deletes the original file after encryption.
• It terminates itself if the following prefix of MAC addresses were found in the system:
  • 000C29 - VMWare Inc.
  • 001C14 - Cisco Systems
  • 005056 - VMWare Inc.
  • 000569 - Intel
  • 080027 - VMWare, Inc
  • 000001 - Xerox Corporation
• It terminates itself if the following GUID is found in the system:
  • 4040CF00-1B3E-486A-B407-FA14C56B6FC0
• It restarts the system after file encryption.
• It terminates itself if the following registry entry was found in the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
    {data} = C:\ANYRUN