Friday, May 15, 2015

Analysis of the ransom/infector W32_VirRnsm.A

There are lot of ransomware families around the world, however, since long time ago, they contain no new interesting features. VirRnsm.A is a malware that mixes characteristics of ransomwares and infectors. It is a ransomware capable to infect executable files (or an infector capable to encrypt your files). Technically, It doesn’t seem a great malware, but it is worth a look because, from my point of view, in the future we are going to start to see a lot of malwares of this type. Ransomware’s behaviour could end up being a payload of worms and infectors, rather than a malware by itself.

In spite of the fact that VirRnsm.A is an evolution in the ransoms world, probably, it would have spread itself faster if the malware, after infecting files, didn’t block the screen, showing a rescue message and revealing itself. Instead, imagine a worm or infector (a conficker, a sality,…), that arrives to a machine and hides itself with stealth techniques, trying to spread itself as much as possible, and waiting for a date to execute its payload (payload with ransomware behaviour). It could be a enormous chaos.

Here you can watch a short capture of the malware infecting a machine:

When VirRnsm.A is executed in a new machine, it dumps three executables with random names. One of them in a subfolder of %homepath% with random name, and two in different subfolders of %programdata% with random names too. It dumps some bats and an .vbs file too, to %temp%, related to cleaning tasks:



echo WScript.Sleep(50)>%TEMP%/file.vbs
cscript %TEMP%/file.vbs
del /F /Q file.js
del /F /Q %1
del /F /Q %0
Later it executes those three dumped executables that we said. One of these executables start to walk the file system searching for files to infect. When it finds executables or some types of noPE files (jpg, pdf, …), it extracts the original icon from the target file, and it creates a new executable with the name of the target (adding .exe extension if the target is not an executable) and the original icon of the it. The new executable contains the code of the malware and the original file encrypted.

The new executable is packed with a polymorphic layer, and it contains a big .text section where the malware code and the original file are stored, and a .rsrc section that it uses to store the original file icon. If we go to the entry point we can see the polymorphic layer of the ransom. It seems to have a not very complex polymorphic engine, it generates lot of trash, almost no jumps and not very realistic code:

When the ransom ends up of encrypting files, it executes other of the three dumped executables, and this executable blocks the screen with a message like this:

If you executed some of the infected files (exe, jpg,… or any) , it does exactly the same actions (infect the new machine), and, in case that it was a noPE, i.e a jpg file, it shows the original file. In this way it seems the file wasn’t infected. Here is a short capture of a infected file running:

The video shows how the infected files, when they are executed, infect the machine and later show the original file. This ransom stores the key to decrypt the files into the infected binary, so the decryption is possible. I.e Windows Defender was able to decrypt some samples that i donwloaded from

The conclusion is this malware seems to be not very complex and it is not introducing very new techniques, from the point of view of ransomware as from the point of view of infectors. However it is an advice of the dangerous future that we can start to find in the ransomwares world.

No comments:

Post a Comment