Home / malware Trojan.Ransomcrypt.Q
First posted on 11 March 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.Q.
Explanation :
When executed, the Trojan creates the following files so that it runs every time Windows starts: %UserProfile%\Start Menu\Programs\Startup\[ORIGINAL FILE NAME].exe%UserProfile%\Start Menu\Programs\Startup\bytor.bmp
The Trojan then modifies the following registry entry to alter desktop settings: HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%UserProfile%\Application Data\bytor.bmp"
Next, the Trojan attempts to encrypt files with any of the following extensions: .3fr.accdb.ai.arw.bay.cdr.cer.cr2.crt.crw.dbf.dcr.der.dng.doc.docm.docx.dwg.dxf.dxg.eps.erf.indd.jpe.jpg.kdc.mdb.mdf.mef.mrw.nef.nrw.odb.odm.odp.ods.odt.orf.p12.p7b.p7c.pdd.pef.pem.pfx.ppt.pptm.pptx.psd.pst.ptx.r3d.raf.raw.rtf.rw2.rwl.srf.srw.wb2.wpd.wps.xlk.xls.xlsb.xlsm.xlsx
The Trojan then renames the encrypted files as the following:[ORIGINAL FILE NAME].id-[RANDOM 10-DIGIT NUMBER]_decode@india.com
The Trojan then deletes the original file.
Next, the Trojan connects to one of the following remote locations: [http://]www.fuck-isil.com/close/scrip[REMOVED][http://]kapustakapaet.com/close/scrip[REMOVED][http://]www.ahalaymahalay.com/close/scrip[REMOVED][http://]martyanovdrweb.com/close/scrip[REMOVED][http://]www.decryptindia.com/close/scrip[REMOVED]
The Trojan modifies the desktop wallpaper and displays the following message:Last update 11 March 2015
