Home / malware Trojan.Cryptolocker.Z
First posted on 20 August 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.Z.
Explanation :
When the Trojan is executed, it creates the following file:
%Temp%\keepalive.exe
The Trojan creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoAppAppForcedEnded" 0x00000001HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoAppDelay" 0x00000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoApp" "%CurrentFolder%\[FILE NAME] start"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoApp" "%CurrentFolder%\[FILE NAME].exe start"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoAppSelfDestroyEncryptTime" 0x000138aeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoAppSelfDestroyTickCount" 0x000290ebHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoAppAllEncrypted" 0x00000001HKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"done" 0x00000001HKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"saved" 0x00000001HKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"mode" 0x00000002HKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"files" 0x00000000HKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"done" 0x00000000HKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"files" 0x0000009EHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CryptoAppEncryptedFiles" 0x0000009EHKEY_CURRENT_USER\Software\CryptoApp\%CurrentFolder%\progress\"time" a8 61 00 00
The Trojan encrypts all files on the compromised computer with the following extensions:
.iff.3fr.3gp.7z.accdb.ai.arc.arw.avi.bad.bay.bmp.cam.cdr.cer.cineon.cr2.crt.crw.csv.ctl.dat.dbf.dcr.der.des.dicom.dng.doc.docm.docx.dsc.dwg.dxf.dxg.eps.erf.fla.flv.fmb.fmt.fmx.gif.hdr.html.iif.img.indd.jpe.jpeg.jpg.kdc.log.lst.m4v.mdb.mdf.mef.mov.mpeg.mrw.nd.nef.nrw.odb.odm.odp.ods.odt.openexr.ora.orf.p12.p7b.p7c.pbm.pck.pdd.pdf.pef.pem.pfx.pgm.pic.pkb.pks.plb.pls.png.pot.ppm.pps.ppt.pptm.pptx.prn.psb.psd.pst.ptx.qba.tlg.qbm.qbr.qbw.qbw.tlg.qbx.qby.qfx.r3d.raf.rar.raw.rdf.rdo.rep.rex.rtf.rw2.rwl.sql.srf.srw.sti.sxi.tiff.txt.vdi.wb2.wpd.wps.xbm.xlk.xls.xlsb.xlsm.xlsx.xml.yaml.zip.php.css.asp.cpp.js.pl.perl.swf.aspx.potx.potm.ppam.ppsx.ppsm.sldx.sldm.thmx.xlam.xltm.dotm.dotx
The Trojan sends the keys used for encryption to the following location:
[http://]gvgtransportation.com/s/ksubm[REMOVED]
The Trojan creates the following note after encrypting the files:
"How can you decrypt your files
Your important files on this computer (including connected flash or external drives) were encrypted. You can personally verify this.
Encryption was made using a unique private key RSA-2048, generated for this computer. To decrypt your files you will need to pay 1 Bitcoin.
Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
1 You should register the Bitcoin wallet - Click here
2 Purchasing Bitcoin - Altrought it's may yet easy to buy Bitcoin, it's getting simple every day. Here are our recomandation:
LocalBitcoins.com - This fantastic service allows you to search for people in your community willing to sell bitcoins to you directly
Coinbase.com - Bitcoin exchange based on United States
Coin.mx - An international Bitcoin exchanger (Accept Credit Card Payments)
3 Send the payment of 1 (one) Bitcoin to the Bitcoin address 1AbwLtv7JTtbLmj8LrGq7TzCdkD4ZNET5C
4 After you make the payment, enter your Bitcoin address below to decrypt your files
Visit one of the following website to decrypt your files:
[https://]GUHVUOZ7AM24B5MV.TOR2WEB.ORG[REMOVED]
[https://]GUHVUOZ7AM24B5MV.TOR2WEB.BLUTMAGIE.DE[REMOVED]
[https://]GUHVUOZ7AM24B5MV.S1.TOR-GATEWAYS.DE[REMOVED]
[https://]GUHVUOZ7AM24B5MV.ONION.CITY[REMOVED]
[https://]GUHVUOZ7AM24B5MV.ONION.CAB[REMOVED]
NOTE: Follow these steps and your data will be restored guaranteed."Last update 20 August 2015
