Home / malware Trojan.Cryptodefense
First posted on 28 March 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptodefense.
Explanation :
When the Trojan is executed, it creates the following files in every folder that contains files to be encrypted:
HOW_DECRYPT.TXTHOW_DECRYPT.HTMLHOW_DECRYPT.URL
The Trojan creates the following registry entry to store the path of all encrypted files:
HKEY_CURRENT_USER\Software\[RANDOM CHARACTERS]\PROTECTED
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%AppData%\[RANDOM CHARACTERS].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" =" C:\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"
The Trojan encrypts all files that match the following file extensions: xlswpdwb2txttexswfsqlrtfRAWpptpngpempdfpdbPASodtobjmsgmpgmp3luakeyjpghppgifepsDTDdocdercrtcppcerbmpbayaviavaassaspjspypldbchpscsmrm
The Trojan may display a text or HTML ransom demand that states the following:
All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
The Trojan takes a screenshot of the desktop and uploads it one of the following remote locations:
machetesraka.commarkizasamvel.comarmianazerbaijan.com
The Trojan may also open a browser window to the following location using the dropped HOW_DECRYPT.URL shortcut:
[https://]rj2bocejarqnpuhm.tor2web.org/[RANDOM C[REMOVED]Last update 28 March 2014
