TROJ_CRILOCK.YMS

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %AppDataLocal%\{random filename}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

It drops the following files:

• %Desktop%\{random filename}.bmp

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{random characters}
• Local\{random characters}

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CryptoLocker = "%AppDataLocal%\{random filename}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
*CryptoLocker = "%AppDataLocal%\{random filename}.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\CryptoLocker_{random 4 characters}

HKEY_CURRENT_USER\Software\CryptoLocker_{random 4 characters}\
Files

It adds the following registry entries:

HKEY_CURRENT_USER\Software\CryptoLocker_{random 4 characters}
Wallpaper = "{hex values}"

HKEY_CURRENT_USER\Software\CryptoLocker_{random 4 characters}
PublicKey = “{hex values}"

HKEY_CURRENT_USER\Software\CryptoLocker_{random 4 characters}\
Files
{path and file name of encrypted file} = “{hex value}”

HKEY_CURRENT_USER\Software\CryptoLocker_{random 4 characters}
VersionInfo = "{hex values}"

NOTES:

This Trojan attempts to download the key to be used in encrypting files by connecting to randomly generated domains:

• http://{random characters}/biz/home
• http://{random characters}/ru/home
• http://{random characters}/org/home
• http://{random characters}/co.uk/home
• http://{random characters}/info/home
• http://{random characters}/com/home
• http://{random characters}/net/home

It encrypts files with the following extensions:

• *.3fr
• *.3gp
• *.accdb
• *.ai
• *.arw
• *.bay
• *.cdr
• *.cer
• *.cr2
• *.crt
• *.crw
• *.dbf
• *.dcr
• *.der
• *.dng
• *.doc
• *.docm
• *.docx
• *.dwg
• *.dxf
• *.dxg
• *.eps
• *.erf
• *.img
• *.jpg
• *.indd
• *.jpe
• *.jpg
• *.kdc
• *.m4v
• *.mdb
• *.mdf
• *.mef
• *.mov
• *.mp4
• *.mrw
• *.nef
• *.nrw
• *.odb
• *.odc
• *.odm
• *.odp
• *.ods
• *.odt
• *.orf
• *.p12
• *.p7b
• *.p7c
• *.pdd
• *.pdf
• *.pef
• *.pem
• *.pfx
• *.ppt
• *.pptm
• *.pptx
• *.psd
• *.pst
• *.ptx
• *.r3d
• *.raf
• *.raw
• *.rtf
• *.rw2
• *.rwl
• *.sr2
• *.srf
• *.srw
• *.wb2
• *.wpd
• *.wps
• *.x3f
• *.xlk
• *.xls
• *.xlsb
• *.xlsm
• *.xlsx

After successfully encrypting files on the targeted system, it replaces the wallpaper with another image:

It demands users to pay a fine in to restore affected files:

Users are encouraged to pay via any of the following payment methods:

• Bitcoin
  
• MoneyPak
  

Note that once the files are encrypted, the files can no longer be restored. Payment does not always guarantee file restoration.