Home / malware Trojan.Pollcrypto
First posted on 21 May 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Pollcrypto.
Explanation :
When the Trojan is executed, it encrypts files with the following extensions using the Rijndael algorithm: .1cd.3d.3d4.3df8.3g2.3gp.3gp2.3mm.7z.8ba.8bc.8be.8bf.8bi8.8bl.8bs.8bx.8by.8li.aac.abk.abw.ac3.accdb.ace.act.ade.adi.adpb.adr.adt.aim.aip.ais.amf.amr.amu.amx.amxx.ans.ap.ape.api.arc.ari.arj.aro.arr.asa.asc.ascx.ase.ashx.asmx.asp.asr.avi.avs.bdp.bdr.bi8.bib.bic.big.bik.bkf.blp.bmc.bmf.bml.bmp.boc.bp2.bp3.bpl.bsp.cag.cam.cap.car.cbr.cbz.cc.ccd.cch.cd.cdr.cer.cfg.cgf.chk.clr.cms.cod.col.cp.cpp.crd.crt.cs.csi.cso.ctt.cty.cwf.dal.dap.dbb.dbx.dcp.dcu.ddc.ddcx.dem.dev.dex.dic.dif.dii.dir.disk.divx.diz.djvu.dmg.dng.dob.doc.docm.docx.dot.dotm.dotx.dox.dpk.dpl.dpr.dsk.dsp.dvd.dvi.dvx.dwg.dxe.dxf.elf.eps.eql.err.euc.evo.ex.f90.faq.fcd.fdr.fds.ff.fla.flp.flv.for.fpp.gam.gif.grf.gthr.gz.gzig.h3m.h4r.htm.idx.img.indd.ink.ipa.iso.isu.isz.itdb.itl.iwd.jar.jav.java.jc.jgz.jif.jiff.jpc.jpeg.jpf.jpg.jpw.js.kmz.kwd.lbi.lcd.lcf.ldb.lgp.lp2.ltm.ltr.lvl.mag.man.map.max.mbox.mbx.mcd.md0.md1.md2.md3.mdf.mdl.mdn.mds.mic.mip.mlx.mm6.mm7.mm8.mod.moz.mp3.mp4.msg.msp.mxp.nav.ncd.nds.nfo.now.nrg.nri.odc.odf.odi.odm.odp.ods.oft.oga.ogg.opf.owl.oxt.pab.pak.pbf.pbp.pbs.pcv.pdd.pdf.php.pkb.pkh.pl.plc.pli.pm.png.pot.potm.potx.ppd.ppf.pps.ppsm.ppsx.ppt.pptm.pptx.prc.prt.psa.psd.puz.pwf.pwi.pxp.qbb.qdf.qel.qif.qpx.qtiq.qtq.qtr.r00.r01.r02.r03.ra.rar.raw.res.rev.rgn.rng.rrt.rsrc.rsw.rte.rtf.rts.rtx.rum.run.rv.sad.saf.sav.scm.scn.scx.sdb.sdc.sdn.sds.sdt.sen.sfs.sfx.sh.shar.shr.shw.slt.snp.so.spr.sql.sqx.srf.srt.ssa.std.stt.stx.sud.svi.svr.swd.swf.t01.t03.t05.tar.tax2013.tax2014.tbz2.tch.tcx.text.tg.thmx.tif.tlz.tpu.tpx.trp.tu.tur.txd.txf.txt.uax.udf.umx.unr.unx.uop.upoi.url.usa.usx.ut2.ut3.utc.utx.uvx.uxx.val.vc.vcd.vdo.ver.vhd.vmf.vmt.vsi.vtf.w3g.w3x.wad.war.wav.wave.waw.wbk.wdgt.wks.wm.wma.wmd.wmdb.wmmp.wmv.wmx.wow.wpk.wpl.wsh.wtd.wtf.wvx.xl.xla.xlam.xlc.xll.xlm.xlr.xls.xlsb.xlsm.xlsx.xltx.xlv.xlwx.xpi.xpt.xvid.xwd.yab.yps.z02.z04.zap.zip.zipx.zoo Next, the Trojan deletes ShadowCopy from the compromised computer.
The Trojan then creates the following file in every folder with an encrypted file: [PATH TO ENCRYPTED FILES]\DECRYPT_INSTRUCTION.html
The Trojan then displays a ransom notice, telling the user that their files have been encrypted and demanding that they pay in order to decrypt them.Last update 21 May 2015
