Home / malwarePDF  

Trojan.Ransomcrypt.U


First posted on 23 September 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.U.

Explanation :

The Trojan may arrive through an exploit kit.

When the Trojan is executed, it creates the following files: %Temp%\desk.bmp%Temp%\desk.jpg%ProgramFiles%\[THREAT FILE NAME].exe
Next, the Trojan creates the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"pr" = "%ProgramFiles%\[THREAT FILE NAME].exe"
The Trojan then modifies the following registry entries: HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%Temp%\desk.bmp"
The Trojan then searches for and encrypts files with the following extensions: .1cd.3gp.7z.a3d.abf.accdb.arj.asm.avi.cdr.cdx.cer.cpt.csv.db3.dbf.doc.docx.fbf.fbk.fbw.fbx.fdb.gbk.gho.gzip.iv2i.jpeg.jpg.keystore.ldf.m2v.m3d.max.mdb.mkv.mov.mp3.mpeg.nbd.nrw.nx1.odb.odc.odp.ods.odt.old.orf.p12.pdf.pef.ppt.pptm.pst.ptx.pz3.qic.r3d.rar.raw.rtf.rwl.rx2.sbs.sldasm.sldprt.sn1.sna.spf.sr2.srf.srw.tbl.tis.txt.wps.wps.x3f.xls.xlsx.zip
The Trojan changes the name of encrypted files using the following format: email-[EMAIL ADDRESS].ver-[MALWARE VERSION].id-[UNIQUE ID]-[MONTH]@[DAY]@[YEAR] [HOUR]@[MINUTE]@[SECOND] [AM/PM].randomname-[RANDOM FILE NAME].cbf
The email address included in the file names may be any of the following: ninja.gaiver@aol.comscasiva@aol.comigor_svetlov2@aol.com.Seven_Legion2@aol.comcryptolocker@aol.comeric.decoder10@gmail.com
The Trojan then connects to the following remote location to sends the malware version and the computer's unique ID: [http://]google-update.com/install/inst[REMOVED]
The Trojan changes the desktop wallpaper to display the ransom warning. The message tells the user that their files have been encrypted and advises them to send an encrypted file to the attacker's email address. It says that if the user doesn't send a file within one week, then they won't be able to decrypt their files.

Last update 23 September 2015

 

TOP

Malware :

Family: