Home / malwarePDF  

Trojan.Cryptolocker.X


First posted on 15 August 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cryptolocker.X.

Explanation :

When the Trojan is executed, it creates the following file: [PATH TO TROJAN]\winconfo.exe
After this file is created, it displays a pop-up window with the following message: "ERROR 7x000000 There was an error opening this document. The file is damaged and could not be repaired"
The Trojan then executes this file and deletes it

Next, the Trojan creates the following mutex to ensure that only one copy of the threat is running: 888roddddsjk_Alreee3ady_888nt
The Trojan then searches for and encrypts files with the following extensions: .3ds .3fr .3pr .7z .ab4 .accdb .accde .accdr .accdt .adb .ai .ait .al .apj .asp .awg .backup .backupdb .bak .bdb .bgt .bik .bkp .blend .bpw .cdf .cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cdx .ce1 .ce2 .cer .cfp .cgm .cib .cls .cmt .cpi .crt .csh .css .csv .dac .db .db3 .dbf .db-journal .dc2 .dcr .dcs .ddd .ddoc .ddrw .der .design .dgc .djvu .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dwg .dxb .erbsql .erf .exf .fdb .ffd .fff .fh .fhd .fpx .fxg .gray .grey .gry .hbk .hpp .ibank .ibz .idb .idx .iiq .incpas .jpeg .JPEG .jpg .JPG .js .kc2 .kdbx .kdc .kpdx .lua .mdb .mdc .mef .mfw .mmw .moneywell .mos .mp3. .mpg .mrw .myd .ndd .nef .nop .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nx1 .nx2 .nyf .odb .odf .odg .odm .odp .ods .odt .orf .otg .oth .otp .ots .ott .p12 .p7b .p7c .pat .pcd .pdf .pef .pem .pfx .php .pl .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .ps .psafe3 .psd .ptx .ra2 .raf .rar .raw .rdb .rtf .rw2 .rwl .rwz .s3db .sas7bdat .sav .sda .sdf .sdo .sldm .sldx .sqlite .sqlite3 .sqlitedb .sr2 .srf .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .sxc .sxd .sxg .sxi .sxm .sxw .txt .wb2 .x3f .xla .xlam .xll .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .ycbcra .zip
The Trojan then creates the following files: [PATH TO TROJAN]\[TROJAN FILE NAME].safefiles32@mail.ru[PATH TO TROJAN]\[TROJAN FILE NAME].filesdecrypt@india.com[PATH TO ENCRYPTED FILES]\pronk.txt[PATH TO ENCRYPTED FILES]\help-file-decrypt.enc
[PATH TO ENCRYPTED FILES]\pronk.txt contains a message telling the user that their files have been encrypted. It asks the user to contact the attacker through a particular email address for more information.

Last update 15 August 2015

 

TOP