Home / malwarePDF  

Trojan.Cryptodefense.B


First posted on 14 November 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cryptodefense.B.

Explanation :

When the Trojan is executed, it attempts to connect to one of the following locations:
100loanz.com 19bee88.com annieinbloom.com app-gejek.com cjforudesigns.com colherdepau.net ehdrecovery.com evcilorman.com f2mfashion.com gerberinsreferral.com ginalawsonacademy.org gronnix.com hazelwoodcommunitytv.org homerenovationsreginask.com latinanese.info lifestyledessein.com mikeredina.com possiblyposh.com rennellaeditorial.com riversidecookies.com rolloffcontainerservicezionsvillein.com sanev.net slctd.co stormyscloset.net stwholesaleinc.com tadilatiniz.com timmuanhadat.net wexfordwellnesscare.com
The Trojan captures a screenshot of the desktop and sends it the the remote location.

The Trojan may encrypt and alter the file name and extensions of files with the following extensions:
.DTD.LOG.PAS.RAW.STC.STD.ai.asp.ass.ava.avi.bak.bay.bmp.c.cer.cer.cpp.crt.cs.dat.db.der.doc.doc.eps.eps.gif.h.hbk.hpp.jpg.js.key.lua.m.mp3.mpg.mpp.msg.obj.odt.pdb.pdf.pdf.pem.pf.pl.png.ppt.ps.py.py.rm.rtf.sql.sqlite.swf.tex.txt.wb2.wpd.xls
The Trojan opens the following files:
%UserProfile%\Cookies\HELP_YOUR_FILES.HTML%UserProfile%\Cookies\HELP_YOUR_FILES.TXTHELP_YOUR_FILES.PNG
Note: HELP_YOUR_FILES.PNG is saved in all folders containing files that were encrypted.

The Trojan may delete shadow copies of itself.

The Trojan displays the following on the compromised computer:

Last update 14 November 2015

 

TOP