Short description
Win32/Bogoj.B is a worm that spreads via removable media. The file is run-time compressed using Astrum SFX .
Installation
When executed, the worm drops the following files in the %windir% folder:
- lsass.exe (77824 B)
- nerodigit16.inf (20480 B)
- services.exe (53248 B)
- uninstlv16.exe (32768 B)
The following file is dropped in the %temp% folder:
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{%variable%}]
"StubPath" = "%windir%\uninstlv16.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\torn.exe\torn]
"Directory" = "%program_files%\torn"
"Version" = "1.00"
"Uninstaller" = "%windir%\torn uninstaller.exe"
The worm displays a fake error message:
Spreading on removable media
The worm creates the following folders:
The following file is dropped in the same folder:
The worm creates the following file:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
Win32/Bogoj.B is a worm that steals passwords and other sensitive information. The data is saved in the following file:
- %userprofile%\feedback.html
The worm is able to log keystrokes. The worm can send the information to a remote machine. The worm contains a list of (1) URLs. The HTTP protocol is used.
Other information
The worm encrypts files on local disks. The extension of the encrypted files is changed to:
The worm deletes the original file. It avoids files which contain any of the following strings in their path:
- \%windir%\
- \Program Files\
- \Boot\
- \ProgramData\Microsoft\
- \Users\All Users\Microsoft\
It avoids files with the following extensions:
- .ini
- .sys
- .dll
- .log
- .com
- .bat
- .cab
- .lnk
- .xnc
- .reg
When searching the drives, the worm creates the following file in every folder visited:
It contains the following text:
- Hello,
- As you probably already noticed, your files on this Pc/laptop are
encrypted.
- That means you cant use them before you decrypt them.
- Decrypthing these files without password and proper software is
impossible.
- Im the only person in the world who has password and software you
need to decrypt your files.
- Hello,
- As you probably already noticed, your files on this Pc/laptop are
encrypted.
- That means you cant use them before you decrypt them.
- Decrypthing these files without password and proper software is
impossible.
- Im the only person in the world who has password and software you
need to decrypt your files.
- If you want to get ALL your files back to normal, that is,
- decrypt them, youll have to buy decryptor. To buy decrypting tool
contact me at: brandos87@yahoo.com or brandos87@gmail.com
- Ill reply within hour or two, and you can have your files back
within few minutes after that.
- Price for decryptor and password is low, so anyone affectet by my
encryptor could afford buying it.
- Ill also help you delete my encryptor, that you installed on this
machine without realizing that.
- Also note that most of your private informations is collected and
sent to me.
- In case you dont contact me, Ill sell your private informations
data (like email account logins, credit card numbers, paypal
account logins, etc).
- In case you do contact me and we reach agreement, Ill also remove
spying tool from your machine,
- and your private informations will be destroyed from my system.
- IMPORTANT:
- If you want to get your data back, do not remove or install
anything on this machine from now on, until you decrypt
- all your files.
- As I told you already, Ill reply in shortest possible time, most
probably minutes, or in worst case few hours after you send me
your message.
- Im sorry for trouble I caused you, but this is mostly your fault
:) .
- I hope we will solve your computer problem, and Im looking for
friendly relationship with you.
- Please be smart :=)
- Good day.
The worm creates the following files:
