Ransom:Win32/Nymaim.F belongs to a family of ransomware that includes components that download other malware and lock your PC.
These threats can be installed on your PC when you visit a malicious or hacked website, or when you click on a malicious link in a spam email.
When run, Ransom:Win32/Nymaim.F is installed to %TEMP%.tmp.
It then creates copies of itself in %APPDATA% and %windir% using random folder and file names, for example:
It modifies the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<random string>", for example, "4ld5tr"
With data: "%APPDATA%\<random file name>.exe", for example, "%APPDATA%\hgo\vmaun.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%APPDATA%\<random file name>.exe,explorer.exe"
Injects malicious code into other processes
Ransom:Win32/Nymaim.F injects malicious code into other processes using CreateRemoteThreat and WriteProcessMemory. As a result, an infected machine will have known and trusted processes performing HTTP requests, for example:
explorer.exe connecting to afkkcfjjg.biz at TCP port 80
explorer.exe connecting to gefesosexwithjimmy.org at TCP port 80
explorer.exe connecting to oiksixvj.net at TCP port 80
explorer.exe connecting to rvebpzja.net at TCP port 80
explorer.exe connecting to ykbjkuu.ru at TCP port 80
It is also likely that more processes perform remote connection activities to access multiple websites in the background.
Locks your PC
Ransom:Win32/Nymaim.F l can lock you PC screen preventing you from using or accessing your files. It can display a webpage from the remote host accessed by the HTTP request. The webpage has a message that tells you your PC is locked and that you must enter your sensitive information or pay money to regain access to your PC.
TrojanDownloader:Win32/Nymaim.C may download and install this threat.
We have also seen infected machines with traces of other malware, including:
A running process detected as Ransom:Win32/Nymaim.F might look like a legitimate application when inspected by file information, for example:
CompanyName: Faronics Corporation
FileDescription: Deep Freeze service
LegalCopyright: Copyright ⌐ 1999-2013 Faronics Corporation
ProductName: Deep Freeze
Nymaim: Browsing for trouble
Analysis by Methusela Cebrian Ferrer