What is Spora Ransomware

Spora - the worm that is also ransomware

Behavior as a worm is similar to Dinihou and Gamarue

ZCryptor was already considered a combination of worm and ransomware because it uses an autorun.inf, but Spora goes one step further and uses similar techniques as Gamarue and Dinihou. The functionality of autorun.inf was deactivated seven years ago with an update under Windows XP and Windows Vista and removed in Windows 7. As a result, this type of storage media distribution is no longer effective for malware. Instead, like Dinihou and Gamarue, Spora relies on the use of shortcuts (file extension .LNK in Windows) to spread.

Spora now adds the file attribute "Hidden" to all files and folders on the desktop as well as the main directories of storage media and the system drive. These files and folders are no longer visible with the standard settings in Windows Explorer. In order not to arouse suspicion, Spora replaces the hidden elements with links of the same name with the same icons. When opened, the .LNK replacement files behave inconspicuously, but the malware is started in the background in addition to the original file. For example, the folder C: \ Windows is hidden and a file called C: \ Windows.lnk is created instead. This looks just like the real folder that you can see in the standard display under Windows.

The .LNK files use the following command to both open the original file and run the worm. If the original file is actually a folder, it will be displayed in Windows Explorer:

/ c explorer.exe "" & type ""> "%% tmp %% \ " & start "" "%% tmp %% \ "

The worm copies itself as a hidden file in the same directory as the .LNK files. The file name is generated from the CRC32 checksum of the VolumeSerialNumber. The result follows the pattern% 08x-% 04x-% 04x-% 02x% 02x-% 02x% 02x% 02x% 02 (see address 0x405492). This means that the name of the malicious file is, for example, a277a133-ecde-c0f5-1591-ab36e22428bb.exe).