Win32/Filecoder.CTBLocker [Threat Name] go to Threat

Win32/Filecoder.CTBLocker.B [Threat Variant Name]

Category trojan
Size 952832 B
Detection created Dec 27, 2014
Detection database version 10932
Aliases Win32/Filecoder.CTBLocker.A (Eset)
  Trojan-Ransom.Win32.Foreign.lixr (Kaspersky)
  Backdoor.Trojan (Symantec)
  Ransom:Win32/Critroni.A (Microsoft)
Short description

Win32/Filecoder.CTBLocker.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­%variable1%.exe

The file is then executed.


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %temp%\­%variable1%.exe

The following file is dropped:

  • %windir%\­Tasks\­%variable2%.job

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%temp%\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%temp%\­%variable1%.exe"

This causes the trojan to be executed on every system start.


The trojan keeps various information in the following files:

  • %commonappdata%\­%existingfoldername%\­%variable3%

A string with variable content is used instead of %variable1-3% .

Payload information

Win32/Filecoder.CTBLocker.B is a trojan that encrypts files on fixed, removable and network drives.


The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe

The trojan searches for files with the following file extensions:

  • .3fr
  • .7z
  • .abu
  • .accdb
  • .ai
  • .arp
  • .arw
  • .bas
  • .bay
  • .bdcr
  • .bdcu
  • .bdd
  • .bdp
  • .bds
  • .blend
  • .bpdr
  • .bpdu
  • .bsdr
  • .bsdu
  • .c
  • .cdr
  • .cer
  • .config
  • .cpp
  • .cr2
  • .crt
  • .crw
  • .cs
  • .dbf
  • .dbx
  • .dcr
  • .dd
  • .dds
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • .fdb
  • .gdb
  • .gdb
  • .groups
  • .gsd
  • .gsf
  • .ims
  • .indd
  • .iss
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .kdc
  • .kwm
  • .md
  • .mdb
  • .mdf
  • .mef
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pas
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pl
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .pwm
  • .py
  • .r3d
  • .raf
  • .rar
  • .raw
  • .rgx
  • .rik
  • .rtf
  • .rw2
  • .rwl
  • .safe
  • .sql
  • .srf
  • .srw
  • .txt
  • .vsd
  • .wb2
  • .wpd
  • .wps
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .zip

It avoids files which contain any of the following strings in their path:

  • C:\­Windows\­
  • temp
  • Comodo Downloader
  • Temporary Internet Files

It avoids those with any of the following strings in their names:

  • thumbcache
  • AllFilesAreLocked
  • DecryptAllFiles

The trojan encrypts the file content.


The extension of the encrypted files is changed to:

  • %variable4%

The AES-256 encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The following files are dropped:

  • %commonappdata%\­%variable5%.html
  • %mydocuments%\­Decrypt All Files %variable6%.bmp
  • %mydocuments%\­Decrypt All Files %variable6%.txt

A string with variable content is used instead of %variable4-6% .


The trojan displays the following dialog box:

Information stealing

The trojan collects the following information:

  • external IP address of the network device
  • cryptographic keys

The trojan contains a list of (2) URLs. The HTTP, TOR protocol is used in the communication.


The trojan attempts to send gathered information to a remote machine.

Other information

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%mydocuments%\­Decrypt All Files %variable6%.bmp"
    • "TileWallpaper" = 0
    • "WallpaperStyle" = 0

Please enable Javascript to ensure correct displaying of this content and refresh this page.