MD5: 8bcc460ca4171cfe6165c3e10caf97fa
SHA1: e0baa7c10616df07ea66f9ab619db9ad8f117a76
SHA256: f71f38cd75489364681b20b657e133ac7dbfe4a76d4e95435ceae348227e28eb
SSDeep: 1536:hfeH3uuUCb/Pgb0Mxq4Pkp7qc0HUouqg33lbjbkgkT4d6cg1vJ069yDZ1andzX4q:suut/Pak7jqg33CPEd6pvJFMDEz4it
Size: 139264 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: WinterSoft
Created at: 2013-11-09 04:22:11

Summary:

Ransomware. Disables the compromised computer or restricts access to certain data so that the victim can no longer use it. The victim is expected to send payment to the hijacker to restore access to the blocked data or re-enable the system.

Payload

No specific payload has been found.

Process activity

The Ransomware creates the following process(es):

regsvr32.exe:532
rundll32.exe:1272
rundll32.exe:1584

File activity

The process regsvr32.exe:532 makes changes in the file system.
The Ransomware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\qb1lafl.dss (147444 bytes)

The process rundll32.exe:1272 makes changes in the file system.
The Ransomware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\lfal1bq.bxx (191372749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qb1lafl.dss (147444 bytes)

The process rundll32.exe:1584 makes changes in the file system.
The Ransomware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка\lfal1bq.lnk (704 bytes)

Registry activity

The process regsvr32.exe:532 makes changes in the system registry.
The Ransomware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 F4 07 B8 44 6D 79 71 9F 54 31 78 F3 3A E0 61"

The process rundll32.exe:1272 makes changes in the system registry.
The Ransomware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 CE EC D9 57 E4 B7 82 FF 18 D9 A1 13 FA DA 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process rundll32.exe:1584 makes changes in the system registry.
The Ransomware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 3F 94 32 C8 6C BE 5C EE F2 32 4C F8 9D 70 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:532
   rundll32.exe:1272
   rundll32.exe:1584

2. Delete the original Ransomware file.
   
3. Delete or disinfect the following files created/modified by the Ransomware:
   

   %Documents and Settings%\All Users\Application Data\qb1lafl.dss (147444 bytes)
   %Documents and Settings%\All Users\Application Data\lfal1bq.bxx (191372749 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qb1lafl.dss (147444 bytes)
   %Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка\lfal1bq.lnk (704 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.