Home / malware Trojan.Ransomcrypt.L
First posted on 04 July 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.L.
Explanation :
When the Trojan is executed, it creates the following files: %DriveLetter%\PAYCRYPT_GMAIL_COM.txt%UserProfile%\Desktop\PAYCRYPT_GMAIL_COM.txt%DriveLetter%\Users\Public\Desktop\PAYCRYPT_GMAIL_COM.txtC:\Documents and Settings\All Users\Application Data\Desktop\PAYCRYPT_GMAIL_COM.txt%Temp%\PAYCRYPT_GMAIL_COM.txt%UserProfile%\Desktop\PAYCRYPT_GMAIL_COM.txt%DriveLetter%\Users\Public\Desktop\PAYCRYPT_GMAIL_COM.txtC:\Documents and Settings\All Users\Application Data\Desktop\PAYCRYPT_GMAIL_COM.txt
The Trojan then encrypts files with the following extensions: .xls.xlsx.doc.docx.pdf.jpg.cd.jpeg.1cd.rar.mdb.zip
The Trojan then steals passwords from Web browsers and sends them to the following remote location:
paycrypt@gmail.com
The Trojan then opens the PAYCRYPT_GMAIL_COM.txt file, which displays a ransom demand.Last update 04 July 2014
