Win32/Filecoder.CTBLocker [Threat Name] go to Threat

Win32/Filecoder.CTBLocker.A [Threat Variant Name]

Category trojan
Size 679424 B
Detection created Jul 16, 2014
Detection database version 10104
Aliases Trojan-Ransom.Win32.Onion.h (Kaspersky)
  Ransom:Win32/Critroni.A (Microsoft)
  Trojan.Cryptolocker.G (Symantec)
Short description

Win32/Filecoder.CTBLocker.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­glaxfkb.exe

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %temp%\­glaxfkb.exe

The following files are dropped:

  • %mydocuments%\­DecryptAllFiles     %variable%.txt (1156 B)
  • %mydocuments%\­AllFilesAreLocked     %variable%.bmp (6750 KB)
  • %mydocuments%\­%variable%.html (184278 B)
  • %commonappdata%\­%existingfoldername%\­%variable% (654 B)
  • %windir%\­Tasks\­%variable%.job (264 B)

A string with variable content is used instead of %variable% .

Information stealing

The trojan collects various sensitive information.


The trojan collects the following information:

  • operating system version
  • computer IP address

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The TOR protocol is used.

Other information

Win32/Filecoder.CTBLocker.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .pwm
  • .kwm
  • .safe
  • .groups
  • .txt
  • .cer
  • .crt
  • .der
  • .pem
  • .doc
  • .docm
  • .docx
  • .rtf
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .mdb
  • .mdf
  • .dbf
  • .db
  • .sql
  • .md
  • .dd
  • .dds
  • .jpe
  • .jpg
  • .jpeg
  • .cr2
  • .raw
  • .rw2
  • .rw1
  • .dwg
  • .dxf
  • .dxg
  • .psd
  • .3fr
  • .accdb
  • .ai
  • .arw
  • .bay
  • .blend
  • .cdr
  • .crw
  • .dcr
  • .dng
  • .eps
  • .erf
  • .indd
  • .kdc
  • .mef
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pdf
  • .pef
  • .pfx
  • .ppt
  • .pptm
  • .pptx
  • .pst
  • .ptx
  • .r3d
  • .raf
  • .srf
  • .srw
  • .wb2
  • .vsd
  • .wpd
  • .wps
  • .7z
  • .zip
  • .rar

It avoids files which contain any of the following strings in their path:

  • Temporary Internet Files
  • Comodo Downloader
  • C:\­Windows\­

It avoids those with any of the following strings in their names:

  • DecryptAllFiles
  • AllFilesAreLocked

It avoids files with the following extensions:

  • .ctbl

The trojan encrypts the file content.


The trojan changes the file extension to the following:

  • .ctbl

The AES encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Please enable Javascript to ensure correct displaying of this content and refresh this page.