Home / malware Trojan.Cryptolocker.G
First posted on 17 July 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.G.
Explanation :
When the Trojan is executed, it copies itself to the following location:
%Temp%\[RANDOM FILE NAME].exe
The Trojan then creates the following files:
%UserProfile%\My Documents\[RANDOM FILE NAME].html%UserProfile%\My Documents\AllFilesAreLocked[RANDOM FILE NAME].bmp%UserProfile%\My Documents\DecryptAllFiles[RANDOM FILE NAME].txt%Windir%\Tasks\[RANDOM FILE NAME].job
It then searches the compromised computer for files with the following extensions:
cercrtdbdbfderdocdocmdocxgroupskwmmdbmdfpempwmrtfsafesqltxtxlkxlsxlsbxlsmxlsx
The Trojan then encrypts any files found and adds .ctbl to the original file name.
Next, the Trojan sets the following image as the desktop wallpaper:
%UserProfile%\My Documents\AllFilesAreLocked[RANDOM FILE NAME].bmp
The image is a ransom message prompting the user to purchase a password in order to decrypt the files.Last update 17 July 2014
