Home / malware Trojan.Cryptolocker.E
First posted on 08 May 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.E.
Explanation :
When the Trojan is executed, it creates the following files: %Temp%\wnsrvupd.exe%Temp%\ks9a96HHD9g72Zm.exe%Temp%\Email.pdf
Next, the Trojan creates the following registry entries: HKEY_CLASSES_ROOT\EJPQODXVJMFBZJI\"(Default)" = "CRYPTOLOCKER"HKEY_CLASSES_ROOT\EJPQODXVJMFBZJI\DefaultIcon\"(Default)" = "%Temp%\ks9a96HHD9g72Zm.exe,0"HKEY_CLASSES_ROOT\EJPQODXVJMFBZJI\shell\open\command\"(Default)" = "%Temp%\ks9a96HHD9g72Zm.exe"
The Trojan then uses wnsrvupd.exe to create the following .txt file in every directory on the computer. This .txt file contains instructions on how to unlock the encrypted files:
CRYPTOLOCKER.txt
Next, the Trojan encrypts files with the following file extensions: htmhtmltxtzipjpgbmppnggifisowavdocpdfmp3pptxls
When the user tries to open the encrypted files, the Trojan displays a warning. This warning tells the user to purchase the private key needed to decrypt these files.
If the user inputs their payment details, the Trojan will display a message that claims that the details have been received. This confirmation popup will appear even if the user submits their information while their computer is disconnected from the Internet.Last update 08 May 2014
