Protege lo creado

Otros recursos

  • free.drweb-av.es — utilidades gratuitas, complementos, informadores
  • av-desk.com — un servicio en Internet para los proveedores de servicios Dr.Web AV-Desk
  • curenet.drweb.com — utilidad de desinfección de red Dr.Web CureNet!
Cerrar

Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Mac.Trojan.KeRanger.2

Added to the Dr.Web virus database: 2016-03-09

Virus description added:

SHA1:

  • fd1f246ee9effafba0811fd692e2e76947e82687 (upx)
  • 689cf98c54357d90527a38d922412c04a7107a89 (unpacked)

A ransomware Trojan for OS X first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. The malicious application was signed with a valid Mac app development certificate. Thus, this program successfully bypassed Apple’s Gatekeeper protection. It can operate with the help of either user or root privileges. Once the Trojan is launched, it deletes its original file and creates the following ones:

  • ~/Library/.kernel_pid—contains the process PID of the Trojan;
  • ~/Library/.kernel_time—contains the time value the Trojan is first launched (in three days, the Trojan starts encrypting files);
  • ~/Library/.kernel_complete—contains the “do not touch this\n” line. It is created if files are successfully encrypted.

In three days, the Trojan connects to one of three C&C servers via the TOR network and sends a request that looks as follows:

Lcl******ohlkcml.onion/osx/ping?user_id=general&uuid=hwid&model=hw_model

Where:

  • hw_model—device model;
  • hwid—the value that is obtained by creation of SHA256 hash from the IOPlatformUUID and IOPlatformSerialNumber values.

The server replies with two lines that are encoded with Base64 and contain a public RSA key and a file with cybercriminals’ demands.

Data is encrypted by using the AES-CBC-256 algorithm.

The Trojan first encrypts the files in the “/Users” folder except ones that were created by the malware program such as ".encrypted", "README_FOR_DECRYPT.txt", ".kernel_pid", ".kernel_time”, and ".kernel_complete".

Files under “/Volumes” are encrypted according to the Trojan’s list that contains 313 different file extensions.

Once a file is encrypted, the malware specifies the date of the file creation and modifications that it had before the encryption. In addition, the Trojan restores previous access privileges.

The malware’s key feature lies in the fact that it appends all encrypted files with the “.encrypted” extension and plants the “README_FOR_DECRYPT.txt” file into all directories.

Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.

News about the Trojan

Curing recommendations


macOS

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Desarrollador ruso de antivirus Dr.Web

Experiencia de desarrollo a partir del año 1992

Dr.Web se usa en más de 200 países del mundo

Entrega de antivirus como servicio a partir del año 2007

Soporte 24 horas

© Doctor Web
2003 — 2019

Doctor Web es un productor ruso de los medios antivirus de protección de la información bajo la marca Dr.Web. Los productos Dr. Web se desarrollan a partir del año 1992.

125040, Rusia, Moscú, c/3 Yamskogo Polya, 2, edif.12А