Categories: Ransom

How to remove “Ransom:Win32/Exmas”?

The Ransom:Win32/Exmas is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Ransom:Win32/Exmas virus can do?

Executable code extraction
Injection (inter-process)
Injection (Process Hollowing)
Presents an Authenticode digital signature
Creates RWX memory
At least one IP Address, Domain, or File Name was found in a crypto call
The binary likely contains encrypted or compressed data.
Executed a process and injected code into it, probably while unpacking
Installs itself for autorun at Windows startup
Collects information about installed applications
Checks the CPU name from registry, possibly for anti-virtualization
Attempts to create or modify system certificates
Collects information to fingerprint the system
Anomalous binary characteristics

How to determine Ransom:Win32/Exmas?


File Info:
crc32: 4EB20E12md5: 887b35a87fb75e2d889694143e3c9014name: 887B35A87FB75E2D889694143E3C9014.mlwsha1: c8be4500127bfce10ab38152a8a5003b75613603sha256: 78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3faesha512: 98cf0e201092e6d43a7ec5db4d80e6cc20ec9a983098b04597039b244535f78a4096b76bc62e591336b810fafa302e1009a64be6e788f24dcc8b3ac0c8eb930assdeep: 3072:b2HPbwlPLBkWW+DrxsYwvif/Sx+YzM5ul7SaD82gHxoLoPTI1IL7vtJf:bYT0PLB3QNJz6uhbDju6c3LJltype: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Version Info:
LegalCopyright: xa9 Copyright 2015                                                                                    FileVersion: 2.70.312            CompanyName:                                                             Comments: This installation was built with Inno Setup.ProductName: Advanced Malware Protection                                 ProductVersion: 2.70.312                                          FileDescription: Advanced Malware Protection                                 Translation: 0x0000 0x04b0

Ransom:Win32/Exmas also known as:

K7AntiVirus	Trojan ( 005020721 )
Elastic	malicious (high confidence)
DrWeb	Trojan.Encoder.10098
Cynet	Malicious (score: 100)
ALYac	Trojan.Ransom.MerryXMas
Cylance	Unsafe
Zillya	Trojan.Crynigma.Win32.31
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 005020721 )
Cybereason	malicious.87fb75
Symantec	Ransom.TeslaCrypt
ESET-NOD32	a variant of MSIL/Injector.RBY
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Agent-5577198-0
Kaspersky	Trojan-Ransom.Win32.Crynigma.bb
BitDefender	Gen:Variant.Ransom.Xmas.5
NANO-Antivirus	Trojan.Win32.Crynigma.ekigyz
ViRobot	Trojan.Win32.Z.Injector.210368
MicroWorld-eScan	Gen:Variant.Ransom.Xmas.5
Tencent	Win32.Trojan.Raas.Auto
Ad-Aware	Gen:Variant.Ransom.Xmas.5
Sophos	Troj/Ransom-ECJ
Comodo	Malware@#3771nxqpstaq3
BitDefenderTheta	Gen:NN.ZemsilF.34670.mm2@amAWrWjO
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom_EXMAS.C
McAfee-GW-Edition	RDN/Spybot.ag
FireEye	Generic.mg.887b35a87fb75e2d
Emsisoft	Gen:Variant.Ransom.Xmas.5 (B)
SentinelOne	Static AI – Malicious PE
Jiangmin	Trojan.Generic.bretf
Webroot	W32.Suspicious.Heur
Avira	HEUR/AGEN.1121944
eGambit	PE.Heur.InvalidSig
Kingsoft	Win32.Troj.GenericKD.v.(kcloud)
Microsoft	Ransom:Win32/Exmas
Arcabit	Trojan.Ransom.Xmas.5
GData	Gen:Variant.Ransom.Xmas.5
AhnLab-V3	Trojan/Win32.Ransom.C1739129
McAfee	RDN/Spybot.ag
MAX	malware (ai score=100)
VBA32	Trojan-Ransom.Crynigma
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Ransom_EXMAS.C
Rising	Ransom.Crynigma!8.61B4 (CLOUD)
Ikarus	Trojan.MSIL.Krypt
Fortinet	W32/Crynigma.BB!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
Qihoo-360	Win32/Ransom.Generic.HgIASOgA