Home / malware

PDF

Trojan.Ransomcrypt.H

First posted on 06 March 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.H.

Explanation :

When the Trojan is executed, it creates the following files:
%UserProfile%\Local Settings\Temp\4b92dde98a388db61dca6ca68e4d4e.exe%UserProfile%\Local Settings\Temp\4b92dde98a388db61dca6ca68e4d4e1.txt%UserProfile%\Local Settings\Temp\polipo.conf%UserProfile%\Local Settings\Temp\polipo.exe%UserProfile%\Local Settings\Temp\tor.exe
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"4b92dde98a388db61dca6ca68e4d4e" = "%UserProfile%\Local Settings\Temp\4b92dde98a388db61dca6ca68e4d4e.exe"

The Trojan encrypts data files on the compromised computer and demands payment with BitCoin to decrypt them.

The Trojan uses the Tor network to communicate with the attacker's server.

The Trojan displays the following ransom message:

Last update 06 March 2014

 

TOP