A malicious program belonging to the family of encryption ransomware Trojans that encrypt files and demand a ransom for decryption of compromised data.
The malware can be distributed via targeted mass mailing with attachments. Once the Trojan is launched on the infected computer, it saves its copy under the name of svhost.exe in a system folder, modifies the system registry branch that manages the autorun list, and then runs the saved copy.
Trojan.Encoder.252 encrypts files only if there is an established Internet connection. First, the malware searches all hard drives for files with the specified extensions (.jpg, .jpeg, .doc, .rtf, .xls, .zip, .rar, .7z, .docx, .pps, .pot, .dot, .pdf, .iso, .ppsx, .cdr, .php, .psd, .sql, .pgp, .csv, .kwm, .key, .dwg, .cad, .crt, .pptx, .xlsx, .1cd, .txt, .dbf) saving their names in a separate file. Next, Trojan.Encoder.252 checks the availability of the servers to forward the encryption key to. If the malware cannot connect to the servers, a message appears on the screen asking the user to check the Internet connection settings. If encryption proceeds successfully, file names are appended with “Crypted”. The Trojan also replaces Windows Desktop wallpaper with the image that instructs the user how to unlock the computer.
Moreover, the Trojan generates the “ПРОЧТИЭТО.txt” file (PROCHTIETO.txt) containing a unique ID for file decryption and saves it on the victim's computer.