Home / malwarePDF  

Trojan.Cryptolocker.P


First posted on 08 April 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cryptolocker.P.

Explanation :

The Trojan may arrive through emails with malicious links to Dropbox folders. If the user clicks on any of these links, then the Trojan will execute.

When the Trojan is executed, it creates following files: %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\delta.exe%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\pacman.exe
Next, the Trojan creates the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Security" = "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\delta.exe"
The Trojan then connects to the following remote location: [http://]myplacehome.comuv.com
The Trojan may then prevent the following programs from being executed in order to make itself more difficult to detect and remove: Task ManagerCommand shellRegEditSystem Configuration UtilityWindows BackupSystem Restore ApplicationPowerShell
The Trojan may then perform the following actions: Encrypt files and add the file extension ".ENCRYPTED"Display a ransom notice, asking for bitcoins in exchange for the decryption key
Log keystrokes

Last update 08 April 2015

 

TOP