Home / malware Trojan.Ransomcrypt.K
First posted on 27 June 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.K.
Explanation :
The Trojan arrives through Russian language emails containing the following link:
[https://]www.dropbox.com/s/u2bsyxs0wbsyx6r/temp[REMOVED]
Once the user clicks on the link, they are prompted to download the Trojan.
Once executed, the Trojan copies itself to the following location:
%ProgramFiles%\Startup\[THREAT FILE NAME].exe
It also drops the following file:
%UserProfile%\Application Data\pic.bmp
Next, the Trojan creates the following registry subkeys:
HKEY_CURRENT_USER\Software\Licenses\CLSIDHKEY_CURRENT_USER\Software\The Silicon Realms Toolworks\Armadillo\CLSID
It then executes a new copy of itself and searches the compromised computer for files with the following extensions:
.1cd.7z.accdb.arj.cer.csv.db3.dbf.doc.docx.dt.dwg.gsf.jpeg.jpg.key.kwm.mdb.mov.mpeg.odt.pdf.ppsx.ppt.pptx.psd.rar.rtf.xls.xlsm.xlsx.zip
The files are then encrypted and the following strings is appended to the extension of each file:
.Support@casinomtgox.com
The Trojan then replaces the desktop wallpaper with a ransom message.Last update 27 June 2014