Follow:

 

Ransom:Win32/Nymaim.F


Microsoft security software detects and removes this threat.

This threat can lock your PC and stop you from accessing your files. It shows you a "lock screen" that asks to pay money or provide your sensitive information to get access to your PC again.

It can be installed on your PC when you visit a malicious or hacked website, or when you click on a malicious link in a spam email.

You can read more about this type of threat on our ransomware page.

 



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Technical information

Ransom:Win32/Nymaim.F belongs to a family of ransomware that includes components that download other malware and lock your PC.

These threats can be installed on your PC when you visit a malicious or hacked website, or when you click on a malicious link in a spam email.

Installation 

When run, Ransom:Win32/Nymaim.F is installed to %TEMP%.tmp.

It then creates copies of itself in %APPDATA% and %windir% using random folder and file names, for example:

It modifies the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<random string>", for example, "4ld5tr"
With data: "%APPDATA%\<random file name>.exe", for example, "%APPDATA%\hgo\vmaun.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%APPDATA%\<random file name>.exe,explorer.exe"

Payload

Injects malicious code into other processes

Ransom:Win32/Nymaim.F injects malicious code into other processes using CreateRemoteThreat and WriteProcessMemory. As a result, an infected machine will have known and trusted processes performing HTTP requests, for example:

  • explorer.exe connecting to afkkcfjjg.biz at TCP port 80
  • explorer.exe connecting to gefesosexwithjimmy.org at TCP port 80
  • explorer.exe connecting to oiksixvj.net at TCP port 80
  • explorer.exe connecting to rvebpzja.net at TCP port 80
  • explorer.exe connecting to ykbjkuu.ru at TCP port 80

It is also likely that more processes perform remote connection activities to access multiple websites in the background.  

Locks your PC

Ransom:Win32/Nymaim.F l can lock you PC screen preventing you from using or accessing your files. It can display a webpage from the remote host accessed by the HTTP request. The webpage has a message that tells you your PC is locked and that you must enter your sensitive information or pay money to regain access to your PC.

Additional information

TrojanDownloader:Win32/Nymaim.C may download and install this threat.

We have also seen infected machines with traces of other malware, including:

A running process detected as Ransom:Win32/Nymaim.F might look like a legitimate application when inspected by file information, for example:

CompanyName: Faronics Corporation
FileDescription: Deep Freeze service
InternalName: DFServ.exe
LegalCopyright: Copyright ⌐ 1999-2013 Faronics Corporation
OriginalFilename: DFServEx.exe
ProductName: Deep Freeze

Further reading

Nymaim: Browsing for trouble

Analysis by Methusela Cebrian Ferrer


Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: "<random string>", for example, "4ld5tr"
    With data: "%APPDATA%\<random file name>.exe", for example, "%APPDATA%\hgo\vmaun.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Shell"
    With data: "%APPDATA%\<random file name>.exe,explorer.exe"


Prevention


Alert level: Severe
First detected by definition: 1.169.1744.0
Latest detected by definition: 1.189.184.0 and higher
First detected on: Apr 04, 2014
This entry was first published on: Jul 07, 2014
This entry was updated on: Jul 14, 2014

This threat is also detected as:
No known aliases