Trojan.Oshidor
Posted: December 11, 2013
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 9/10 |
|---|---|
| Infected PCs: | 28 |
| First Seen: | December 11, 2013 |
|---|---|
| Last Seen: | September 3, 2022 |
| OS(es) Affected: | Windows |
Trojan.Oshidor is a file encryption Trojan that specializes in modifying files to make them unusable, with the overall purpose of extracting a ransom from the PC user to restore your files to normal. Since Trojan.Oshidor only targets a small subset of overall file types, making backups of important documentation is the easiest way to thwart Trojan.Oshidor's attacks, but even if you pay Trojan.Oshidor's ransom, there's no guarantee that criminals will give you the associated decryption key. Malware experts would recommend deleting Trojan.Oshidor, like any high-level PC threat, with a robust anti-malware program before attempting any of several ways of recovering any affected documents.
The Trojan that's an Office Worker's Nightmare
Trojan.Oshidor has joined the ranks of the few ransomware-based Trojans that can back up their threats with file-encrypting attacks, alongside such threats as Trojan.Ransomcrypt.E, 'FBI System Failure' Ransomware and 'Everything On Your Computer Has Been Fully Encrypted' Ransomware. Identified in late November of 2013, Trojan.Oshidor has a primary purpose of blocking your access to major document files, and a secondary purpose of forcing you to pay money before Trojan.Oshidor (in theory) gives you the password to reverse its encryption attack. However, this encryption attack doesn't do any permanent damage to the affected files and should be reversible with the assistance of good freeware decryption utilities. Malware experts emphasize that many of these utilities are provided by various PC security companies for this exact purpose.
File types affected by Trojan.Oshidor attacks include Notepad's TXT, Word's DOC, Adobe's PDF, Powerpoint's PPT and Oracle's Java JS, among others. JPG files also are targeted, although most other image file types don't appear to be of interest to Trojan.Oshidor. The original files actually are deleted by Trojan.Oshidor after Trojan.Oshidor creates encrypted copies, thus ensuring that its victims can't ignore the encrypted files and recover the original content easily. Because many of these files types are of particular relevance to business systems, malware researchers suspect that Trojan.Oshidor is being distributed in targeted attacks against office employee PCs. However, Trojan.Oshidor is just as able to compromise a Windows computer that's used for casual purposes.
After this fairly substantial attack, the rest of Trojan.Oshidor's payload is comparatively minor. Trojan.Oshidor loads a pop-up requesting money for the decryption password, and also will automatically terminate some Windows programs, such as the Registry Editor and Task Manager. So far, Trojan.Oshidor doesn't appear to target anti-malware products, which is an oversight that works in your favor.
Seeing an Oshidor Trojan out the Door
Up to this time, Trojan.Oshidor only has been seen on a very limited number of sites. As long as you don't engage in risky Web-surfing behavior and use all relevant means to protect your browser from drive-by-download attacks or other infection vectors, the possibility of a Trojan.Oshidor infection is fairly remote. Nonetheless, once Trojan.Oshidor does infect your computer, its capacity for damage is quite high. Regardless of the nature of the files encrypted by Trojan.Oshidor, deleting Trojan.Oshidor with anti-malware software always should be one of the first actions you undertake to resolve a Trojan.Oshidor infection.
PC users who have the savvy or simply the paranoia to back their files up to remote locations regularly will find it easy to ignore Trojan.Oshidor's decryption attack almost entirely. If you do need to recover files that have been decrypted, the use of reputable decryption software from a reliable vendor is encouraged over hoping that Trojan.Oshidor's criminals will be kindhearted enough to shell out a password in return for your money.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%UserProfile%\Application Data\[FIVE RANDOM CHARACTERS OR NUMBERS].exe
File name: %UserProfile%\Application Data\[FIVE RANDOM CHARACTERS OR NUMBERS].exeMime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\textnote.txt
File name: %UserProfile%\Application Data\textnote.txtMime Type: unknown/txt
Group: Malware file
%UserProfile%\Application Data\textnote.txt.oshit
File name: %UserProfile%\Application Data\textnote.txt.oshitMime Type: unknown/oshit
Group: Malware file
[ORIGINAL FILE NAME].oshit
File name: [ORIGINAL FILE NAME].oshitMime Type: unknown/oshit
Group: Malware file
Razblokirovka_failov.txt
File name: Razblokirovka_failov.txtMime Type: unknown/txt
Group: Malware file
Registry Modifications
HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EpsonPLJDriver" = "%UserProfile%\Application Data\[FIVE RANDOM CHARACTERS OR NUMBERS].exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"email" = "[VALUE RECEIVED FROM C&C SERVER]"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"id" = "[VALUE RECEIVED FROM C&C SERVER]"HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.