Avira Virus Lab

TR/Crypt.EPACK.24962

  • Name
    TR/Crypt.EPACK.24962
  • Date discovered
    Feb 25, 2016
  • Type
    Malware
  • Impact
    Medium 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.11.98.122 (2013-08-27 21:08)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'TR' denotes a trojan horse that is able to spy out data, violate your privacy, or perform unwanted modifications to the system.

The file can be used by rogue users or malware to lower security settings.

Operating System: Microsoft Windows.

  • VDF
    7.11.98.122 (2013-08-27 21:08)
  • Aliases
    Avast: Win32:Malware-gen
    AVG: FileCryptor.HOO
    Dr. Web: Trojan.Encoder.3976
    Trend Micro: Ransom_LOCKY.E
    Microsoft: Ransom:Win32/Locky.A
    G Data: Trojan.GenericKD.3066022
    Kaspersky Lab: Trojan-Ransom.Win32.Locky.ba
    Bitdefender: Trojan.GenericKD.3066022
    ESET: Win32/Filecoder.Locky.A trojan
  • Files
    The following files are renamed:
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\excel4.xls
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\excel.xls
    • %USERPROFILE%\Templates\winword2.doc
    • %USERPROFILE%\Templates\powerpnt.ppt
    • %USERPROFILE%\Templates\excel4.xls
    • %USERPROFILE%\Templates\excel.xls
    • %USERPROFILE%\Templates\winword.doc
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\winword2.doc
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\winword.doc
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\powerpnt.ppt
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1040.rtf
    • %DISKDRIVE%\totalcmd\REGISTER.RTF
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1028.rtf
    • %USERPROFILE%\Templates\quattro.wb2
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\quattro.wb2
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1037.rtf
    • %DISKDRIVE%\AUTOEXEC.BAT
    • %temporary internet files%\Content.IE5\QH9ZEEV0\deliver[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\dapmsn[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\download[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\Q9HNXVQDZNM[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\select[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\sf.dwnld[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\3eh[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\script_300_250[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\adframe[2].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\4a0253de6eac448d8f2c39c53f8926[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\abg[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\render_ads[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\min[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\show_ads[2].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\A524879_300_250[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\jquery.outerhtml[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\modernizr.custom.90514[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\jquery-1.4.2.min[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\fZnvW9PtDSQ[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\dd_belatedpng[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\ec22e9952c2296e3b17de63cd1bea1f2[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\anatm[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\deliver[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\ga[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\beacon[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\8WhVgFJlDOQ[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\bootstrap[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\script_300_250[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\en[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\jquery-1.5.1[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\jquery[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\min[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\show_ads_impl[2].js
    • %USERPROFILE%\Cookies\biluta@www.msn[1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    The following files are changed:
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\excel4.xls
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\excel.xls
    • %USERPROFILE%\Templates\winword2.doc
    • %USERPROFILE%\Templates\powerpnt.ppt
    • %USERPROFILE%\Templates\excel4.xls
    • %USERPROFILE%\Templates\excel.xls
    • %USERPROFILE%\Templates\winword.doc
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\winword2.doc
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\winword.doc
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\powerpnt.ppt
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1040.rtf
    • %DISKDRIVE%\totalcmd\REGISTER.RTF
    • %DISKDRIVE%\AUTOEXEC.BAT
    • %temporary internet files%\Content.IE5\QH9ZEEV0\deliver[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\dapmsn[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\download[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\Q9HNXVQDZNM[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\select[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\sf.dwnld[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\3eh[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\script_300_250[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\adframe[2].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\4a0253de6eac448d8f2c39c53f8926[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\abg[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\render_ads[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\min[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\show_ads[2].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\A524879_300_250[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\jquery.outerhtml[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\modernizr.custom.90514[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\jquery-1.4.2.min[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\fZnvW9PtDSQ[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\dd_belatedpng[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\ec22e9952c2296e3b17de63cd1bea1f2[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\anatm[1].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\deliver[1].js
    • %temporary internet files%\Content.IE5\5KMEPSXE\ga[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\beacon[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\8WhVgFJlDOQ[2].js
    • %temporary internet files%\Content.IE5\A9SFWXZG\bootstrap[2].js
    • %temporary internet files%\Content.IE5\LV2JIAKP\script_300_250[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\en[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\jquery-1.5.1[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\jquery[1].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\min[2].js
    • %temporary internet files%\Content.IE5\QH9ZEEV0\show_ads_impl[2].js
    • %USERPROFILE%\Cookies\biluta@www.msn[1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\biluta@www.bing[1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    The following files are created:
    • %DISKDRIVE%\totalcmd\_Locky_recover_instructions.txt
    • %DISKDRIVE%\Documents and Settings\Default User\Templates\_Locky_recover_instructions.txt
    • %USERPROFILE%\Templates\_Locky_recover_instructions.txt
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\_Locky_recover_instructions.txt
    • %DISKDRIVE%\_Locky_recover_instructions.txt
    • %temporary internet files%\Content.IE5\QH9ZEEV0\_Locky_recover_instructions.txt
    • %temporary internet files%\Content.IE5\LV2JIAKP\_Locky_recover_instructions.txt
    • %temporary internet files%\Content.IE5\5KMEPSXE\_Locky_recover_instructions.txt
    • %temporary internet files%\Content.IE5\A9SFWXZG\_Locky_recover_instructions.txt
    • %USERPROFILE%\Cookies\_Locky_recover_instructions.txt
  • Registry
    The following registry entries are added:
    • [HKEY_CURRENT_USER\Software\Locky] "id" = "74203292F1D3897A" "pubkey" = %hex values% "paytext" = %hex values%
  • HTTP Requests
    • 91.*****.97.170/main.php

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.