Home / malware Trojan.Cryptolocker.M
First posted on 06 February 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.M.
Explanation :
When the Trojan is executed, it creates the following files:
%Temp%\w8i9eHkHOwWwQlX.exe%Temp%\ocegiklmnabcefgj.bmp
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Alcmeter="%Temp%\w8i9eHkHOwWwQlX.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015!\@="PRPASCBHJSZLMOM"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\@="%Temp%\ocegiklmnabcefgj.bmp"
The Trojan encrypts files with the following extensions:
.zip.rar.7z.tar.gzip.jpg.jpeg.psd.cdr.dwg.max.bmp.gif.png.doc.docx.xls.xlsx.ppt.pptx.txt.pdf.djvu.mdb.cer.p12.pfx.1cd.md.mdf.dbf.odt.vob.ifo.lnk.torrent.mov.m2v.3gp.mpeg.mpg.flv.avi.mp4.wmv.divx.mkv.mp3.wav.flac.ape.wma.ac3.sql.wallet.dat
The Trojan appends the following string to the file name of the encrypted files:
CryptoTorLocker2015!
The Trojan drops the following file in every affected folder:
HOW TO DECRYPT FILES.txt
The Trojan then displays the following message box:
The Trojan changes the wallpaper to the following image:Last update 06 February 2015
