Home / malware Trojan.Cryptolocker.W
First posted on 30 July 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.W.
Explanation :
When this Trojan is executed, it lists all drives and encrypts all files with the following extensions in each drive: .3ds.3g2.3gp.abw.accdb.aif.arc.asc.asf.ashdisc.asm.asp.aspx.asx.aup.avi.bbb.bdb.bibtex.bkf.bmp.bpn.btd.bz2.cdi.cer.cert.cfm.cgi.cpio.cpp.crt.csr.cue.c++.dds.dem.dmg.doc.docm.docx.dsb.dwg.dxf.eddx.edoc.eml.emlx.eps.epub.fdf.ffu.flv.gam.gcode.gho.gif.gpx.hbk.hdd.hds.hpp.h++.ics.idml.iff.img.indd.ipd.iso.isz.iwa.j2k.jp2.jpf.jpeg.jpg.jpm.jpx.jsp.jspa.jspx.jst.key.keynote.kml.kmz.lic.lwp.lzma.m3u.m4a.m4v.max.mbox.md2.mdb.mdbackup.mddata.mdf.mdinfo.mds.mid.mov.mp3.mp4.mpa.mpb.mpeg.mpg.mpj.mpp.msg.mso.nba.nbf.nbi.nbu.nbz.nco.nes.note.nrg.nri.ods.odt.ogg.ova.ovf.oxps.p2i.p65.pages.pct.pdf.pem.phtm.phtml.php.php3.php4.php5.phps.phpx.phpxx.plist.pmd.pmx.png.ppdf.pps.ppsm.ppsx.ppt.pptm.pptx.psd.pspimage.pst.pub.pvm.qcn.qcow.qcow2.rar.raw.rtf.sbf.set.skb.slf.sme.smm.spb.sql.srt.ssc.ssi.stg.stl.svg.swf.sxw.syncdb.tar.tex.tga.thm.tif.tiff.toast.torrent.tpl.txt.vbk.vcard.vcd.vcf.vdi.vfs4.vhd.vhdx.vmdk.vob.wbverify.wav.webm.wmb.wpb.wps.xdw.xlr.xls.xlsx.yuv.zip.zipx
The Trojan then drops the following file in each folder: [PATH TO ENCRYPTED FILES]\encryptor_raas_readme_liesmich.txt
The file is a text file containing a ransom message.
Next, the Trojan opens the default browser to load the following URL: [https://]decryptoraveidf7.onion.to/vi[REMOVED]
NOTE: "[MACHINE GUID]" is a string taken from the following Windows registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineGuid
This URL is displayed once the ransom is paid. The page displays "PAYED" and links to the decryptor.Last update 30 July 2015