Malicious Software - CryptoLocker
DESCRIPTION
Once the software has compromised a computer it compiles a list of all files with the following file-extensions:
- 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.
Each of these files is then encrypted and a record of this action is logged at the following location: HKCU\Software\CryptoLocker\Files.
It is at this point that many users begin to receive the following pop-up window explaining that files on the computer have been encrypted and they are being held for a ransom of $100/$300. The window will display when the computer is first booted and periodically during normal use.
DISCLAIMER REGARDING ENCRYPTED FILES
Once CryptoLocker has encrypted a file on an infected computer that file becomes unusable. There are currently no methods available which allow the encryption process to be reversed. Paying the ransom the publishers of this malicious software are demanding does not guarantee the safe recovery of encrypted files.
REMOVING THE MALWARE
-
Shutdown the infected computer immediately.
-
On another computer, perform the following steps:
-
Download SafeMSI from: http://download.cnet.com/SafeMSI-exe/3000-2094_4-75724774.html
-
Copy the SafeMSI file to a flashdrive.
-
-
Boot the infected computer into Safe Mode using the instructions at: https://kb.wisc.edu/page.php?id=1565
-
Run SafeMSI by double-clicking its icon.
REFERENCES
(Sophos) http://go.wisc.edu/6wzx5h
(Bleeping Computer) http://go.wisc.edu/748o3s