Home / malwarePDF  

Trojan.Cryptolocker.N


First posted on 03 March 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cryptolocker.N.

Explanation :

When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\key.dat%UserProfile%\Application Data\log.html%UserProfile%\Application Data\[RANDOM CHARACTERS].exe%SystemDrive%\Documents and Settings\All Users\Desktop\CryptoLocker.lnk%SystemDrive%\Documents and Settings\All Users\Desktop\HELP_TO_DECRYPT_YOUR_FILES.bmp%SystemDrive%\Documents and Settings\All Users\Desktop\HELP_TO_DECRYPT_YOUR_FILES.txt
The Trojan creates the following registry entry so that is runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"crypto13" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].exe"
The Trojan encrypts files with the following extensions:
.7z.rar.m4a.wma.avi.wmv.csv.d3dbsp.sc2save.sie.sum.ibank.t13.t12.qdf.gdb.tax.pkpass.bc6.bc7.bkp.qic.bkf.sidn.sidd.mddata.itl.itdb.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.svg.map.wmo.itm.sb.fos.mcgame.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.001.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.kdb.db0.DayZProfile.rofl.hkx.bar.upk.das.iwi.litemod.asset.forge.ltx.bsa.apk.re4.sav.lbf.slm.bik.epk.rgss3a.pak.big.unity3d.wotreplay.xxx.desc.py.m3u.flv.js.css.rb.png.jpeg.txt.p7c.p7b.p12.pfx.pem.crt.cer.der.x3f.srw.pef.ptx.r3d.rw2.rwl.raw.raf.orf.nrw.mrwref.mef.erf.kdc.dcr.cr2.crw.bay.sr2.srf.arw.3fr.dng.jpe.jpg.cdr.indd.ai.eps.pdf.pdd.psd.dbfv.mdf.wb2.rtf.wpd.dxg.xf.dwg.pst.accdb.mdb.pptm.pptx.ppt.xlk.xlsb.xlsm.xlsx.xls.wps.docm.docx.doc.odb.odc.odm.odp.ods.odt
The Trojan appends the following string to the file name of each encrypted file:
.crypted
The Trojan may then connect to one or more of the following remote locations:
7tno4hib47vlep5o.tor2web.blutmagie.de7tno4hib47vlep5o.tor2web.fi7tno4hib47vlep5o.tor2web.org
The Trojan then changes the desktop wallpaper on the compromised computer and displays a message box with a ransom note and instructions on how to pay the ransom.

Last update 03 March 2015

 

TOP

Malware :

Family: