Aliases: Mal/Generic-A, Trojan:Win32/Embhit.C, Trojan-Ransom.Win32.Gpcode.at, W32/Ransom.worm.a, Trojan-Ransom.Win32
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 25 Nov 2008
Damage: Medium

Characteristics: W32.Randsom.A is a worm that infects Windows systems. It propagates by copying itself to fixed, removable and network drives. It encrypts files and prompts the user to purchase a tool to decrypt them. It may also steal information from the infected computer. It causes medium damage and is easy to remove.

More details about W32.Randsom.A

The worm W32.Randsom.A arrives on the computer as the file rememberthis.exe. When it is executed, the worm copies itself as the following files: lsass.exe, NeroDigit16.inf, services.exe, and UNINSTLV16.exe. It also drops the file NeroDigit32.inf. It also drops the file errir.exe and executes it. This file displays a fake message that reads: “Win32 Application - Not Responding…” It also creates the file ulodb3.ini. The worm modifies the registry to ensure its execution every time Windows starts. It copies itself to all fixed, removable and network drives as the files: Skype.exe and Uninstall.exe. It then copies the file autorun.inf to make sure it runs when removable devices are connected to another computer. To steal information from the infected computer, the worm copies the file feedback.html. The stolen information is sent to a remote attacker using a predetermined URL.

The presence of the W32.Randsom.A application on the user’s computer may result in sudden shutdowns and restarts of the compromised computer. Constant restarts of the computer without the user’s command possibly results in system crash. This application uses exploits to enter a computer. It is installed without the user’s consent and stays resident on the affected computer. It launches at each computer start-up.