Home / malware Trojan.Cryptolocker.H
First posted on 21 August 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.H.
Explanation :
Once executed, the Trojan creates the following file:
%Windir%\[RANDOM FILE NAME].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "%Windir%\[RANDOM FILE NAME].exe"
It also creates the following registry entries:
HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\"00000000" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\"01000000" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\"02000000" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\"03000000" = "[BINARY DATA]"
Next, the Trojan encrypts data files on the compromised computer.
Note: Encrypted files are given are given a ".encrypted" extension.
The Trojan may then display a ransom message with instructions on how to decrypt the encrypted files.
The Trojan may also gather the following information from Microsoft's Outlook, Outlook Express, or Mozilla's Thunderbird email clients installed on the compromised computer:
PasswordsEmail addresses
The Trojan sends the information gathered to the following remote location:
[http://]decryptionguru.com/gate[REMOVED]Last update 21 August 2014
