Home / malware Trojan.Cryptolocker.V
First posted on 06 June 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.V.
Explanation :
When the Trojan is executed, it creates the following files: %System%\[RANDOM CHARACTERS].exe%System%\helper.exe%System%\[RANDOM CHARACTERS].dll%System%\[RANDOM CHARACTERS].bin
Next, the Trojan creates the following registry entries: HKEY_CLASSES_ROOT\CLSID\{66e8c3ea-286d-22bb-31cb-91d14bad7305}\"InprocServer32" = ""%System%\[RANDOM CHARACTERS].dll"HKEY_CLASSES_ROOT\CLSID\"{66e8c3ea-286d-22bb-31cb-91d14bad7305}" = "[RANDOM CHARACTERS]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Type" = "10"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = ""%System%\[RANDOM CHARACTERS].exe""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"DisplayName" = "Refit Hush Tubby"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Description" = "To configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start."
The Trojan may then perform the following actions: Connect to a remote locationExecute arbitrary commandsDownload and execute filesLast update 06 June 2015
