Over the last few days the DoIT Help Desk has received numerous reports of a particularly malicious piece of software named CryptoLocker. This infection is commonly contracted when visiting a website that has been compromised or opening a malicious email attachment.
Once the software has compromised a computer it compiles a list of all files with the following file-extensions:
- 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.
Each of these files is then encrypted and a record of this action is logged at the following location: HKCU\Software\CryptoLocker\Files.
It is at this point that many users begin to receive the following pop-up window explaining that files on the computer have been encrypted and they are being held for a ransom of $100/$300. The window will display when the computer is first booted and periodically during normal use.
DISCLAIMER REGARDING ENCRYPTED FILES
Once CryptoLocker has encrypted a file on an infected computer that file becomes unusable. There are currently no methods available which allow the encryption process to be reversed. Paying the ransom the publishers of this malicious software are demanding does not guarantee the safe recovery of encrypted files.
REMOVING THE MALWARE
Shutdown the infected computer immediately.
On another computer, perform the following steps:
Download SafeMSI from: http://download.cnet.com/SafeMSI-exe/3000-2094_4-75724774.html
Copy the SafeMSI file to a flashdrive.
Boot the infected computer into Safe Mode using the instructions at: https://kb.wisc.edu/page.php?id=1565
Run SafeMSI by double-clicking its icon.
(Bleeping Computer) http://go.wisc.edu/748o3s