Virus Messenger - Worm blackmails users

The Randsom.A worm paralyzes infected computers by encrypting the files stored on them and then trying to make money.

Symantec and the Isidor Security Center reported that another blackmail worm had begun its conquest. THE Randsom.A After creating some files and modifying the registry, the malware named will start collecting confidential information. It uploads the acquired information to a predefined remote server over the Internet. The worm then encrypts the files in Windows, Program Files, and other directories that are important to the operation of Windows. Then try to persuade the user to buy the software needed to decrypt the files. Randsom.A tries to get on as many computers as possible through removable drives and network shares.

When the Randsom.A worm starts, it performs the following actions:

1. Create the following files:
   % Windir% \ lsass.exe
   % Windir% \ NeroDigit16.inf
   % Windir% \ services.exe
   % Windir% \ UNINSTLV16.exe
   % Windir% \ NeroDigit32.inf
   % Temp% \ errir.exe
2. It displays a message window with the text “Win32 Application – Not responding” in the title bar.
3. Create the following file:
   % Windir% \ ulodb3.ini
4. Add the following entries to the registration database:
   HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \
   Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\
   “StubPath” = “%Windir%\UNINSTLV16.exe”
   HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \
   Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\
   “StubPath” = “%Windir%\UNINSTLV16.exe”
5. It copies the following three files to each removable and network drive:
   % DriveLetter% \ tg_root \ Skype.exe
   % DriveLetter% \ tg_root \ Uninstall.exe
   % DriveLetter% \ autorun.inf
6. Create the following file:
   % UserProfile% \ feedback.html
7. It collects confidential data and transmits it to a predefined remote server.
8. It encrypts the following directories and the files in them:
   % Windir%
   % UserProfile%
   % ProgramFiles%
   % SystemDrive% \ Boot
   % SystemDrive% \ ProgramData \ Microsoft
   % SystemDrive% \ users \ All Users \ Microsoft
   Provides encrypted files with a .XNC extension.
   The worm does not encrypt files with any of the following extensions:
   .COM
   .CAB
   .COM
   . Dll
   .THIS
   .lnk
   .Log
   .LONG AGO
   .SYS
   .XNC
9. Create the following files:
   % SystemDrive% \ [path] \ READ THIS.txt
   % SystemDrive% \ [path] \ !!!! READ THIS !!!!. Txt