Home / malware Trojan.Cryptolocker.Q
First posted on 14 April 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.Q.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%/Application Data/01. Untrust Us.mp3%UserProfile%/Application Data/WinDsk/windsk.exe%Windir%/SoftwareDistribution/DataStore/Logs/tmp.edb
The Trojan creates the following folder:
%UserProfile%/Application Data/nyjuikoitg
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wincl" = "%UserProfile%\Application Data\WinDsk\windsk.exe"
The Trojan also creates the following registry entries:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\CLOCK\SData\"S" = "INSTALL_OK"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\CLOCK\EData\"E" = "4/17/2015 6:52:58 PM"
Next, the Trojan deletes the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
The Tojan may then connect to the following remote location:
dota2arcana.com
The Trojan encrypts files on the compromised computer and demands that the user pay a ransom in bitcoin in order to decrypt the files.
The Trojan may also connect to the following remote location in order to verify if the ransom has been paid:
blockchain.infoLast update 14 April 2015
