In spite of the fact that VirRnsm.A is an evolution in the ransoms world, probably, it would have spread itself faster if the malware, after infecting files, didn’t block the screen, showing a rescue message and revealing itself. Instead, imagine a worm or infector (a conficker, a sality,…), that arrives to a machine and hides itself with stealth techniques, trying to spread itself as much as possible, and waiting for a date to execute its payload (payload with ransomware behaviour). It could be a enormous chaos.
Here you can watch a short capture of the malware infecting a machine:
When VirRnsm.A is executed in a new machine, it dumps three executables with random names. One of them in a subfolder of %homepath% with random name, and two in different subfolders of %programdata% with random names too. It dumps some bats and an .vbs file too, to %temp%, related to cleaning tasks:
echo WScript.Sleep(50)>%TEMP%/file.vbs cscript %TEMP%/file.vbs del /F /Q file.js del /F /Q %1 del /F /Q %0Later it executes those three dumped executables that we said. One of these executables start to walk the file system searching for files to infect. When it finds executables or some types of noPE files (jpg, pdf, …), it extracts the original icon from the target file, and it creates a new executable with the name of the target (adding .exe extension if the target is not an executable) and the original icon of the it. The new executable contains the code of the malware and the original file encrypted.
The new executable is packed with a polymorphic layer, and it contains a big .text section where the malware code and the original file are stored, and a .rsrc section that it uses to store the original file icon. If we go to the entry point we can see the polymorphic layer of the ransom. It seems to have a not very complex polymorphic engine, it generates lot of trash, almost no jumps and not very realistic code:
When the ransom ends up of encrypting files, it executes other of the three dumped executables, and this executable blocks the screen with a message like this:
If you executed some of the infected files (exe, jpg,… or any) , it does exactly the same actions (infect the new machine), and, in case that it was a noPE, i.e a jpg file, it shows the original file. In this way it seems the file wasn’t infected. Here is a short capture of a infected file running:
The video shows how the infected files, when they are executed, infect the machine and later show the original file. This ransom stores the key to decrypt the files into the infected binary, so the decryption is possible. I.e Windows Defender was able to decrypt some samples that i donwloaded from malwr.com:
The conclusion is this malware seems to be not very complex and it is not introducing very new techniques, from the point of view of ransomware as from the point of view of infectors. However it is an advice of the dangerous future that we can start to find in the ransomwares world.