Home / malware Trojan.Cryptolocker.AD
First posted on 29 January 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.AD.
Explanation :
When the Trojan is executed, it creates the following files: %UserProfile%\Application Data\System.exe%UserProfile%\Application Data\bcd.bat%UserProfile%\Application Data\uac.exe%UserProfile%\Application Data\del.bat%System%\Tasks\uac
Next, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "%UserProfile%\Application Data\system.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"system" = "%UserProfile%\Application Data\system.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"rgd_bcd_condition" = "1"HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys\"Flags" = "506"
The Trojan then encrypts files with the following extensions: .accdb.arw.dbf.doc.docm.docx.jpe.jpeg.jpg.mdb.mdf.odb.odm.odp.ods.pdf.rar.sql.txt.xlsb.xlsm.xlsx.zip
Next, the Trojan renames the encrypted files as [RANDOM NUMBER].R5A.
The Trojan then connects to [http://]jaster.in/news/gate[REMOVED] and sends the following information: User nameUser privilegeOS versionUnique ID
The Trojan then displays the following ransom note, telling the user that their files have been encrypted. The message demands that the user pays within 96 hours, otherwise the decryption key will be destroyed.Last update 29 January 2016
