Home / malware Trojan.Cryptolocker.D
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.D.
Explanation :
When the Trojan is executed, it creates the following files: C:\Documents and Settings\All Users\Application Data\1AD9295D91.exeC:\Documents and Settings\All Users\Application Data\1AD9295D91.imgC:\Documents and Settings\All Users\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Next, the Trojan creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"1AD9295D91" = "C:\Documents and Settings\All Users\Application Data\1AD9295D91.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"*1AD9295D91" = "C:\Documents and Settings\All Users\Application Data\1AD9295D91.exe"HKEY_CURRENT_USER\Software\1AD9295D91\Keys\"Wallpaper" = "%DownloadedData%"HKEY_CURRENT_USER\Software\1AD9295D91\Keys\"Public" = "%DownloadedData%"HKEY_CURRENT_USER\Software\1AD9295D91\Files\"(default)" = ""
The Trojan connects to the following remote location:
[http://]cabin.su[REMOVED]
Next, the Trojan encrypts files with the following file extensions: .doc.xls.ppt.wb2.jpg.gif.png
The Trojan then displays a warning, informing the user that their files have been encrypted. The displayed warning demands that the user pays in order to receive the private key needed to decrypt these files.Last update 21 February 2014
