Cryptovirus question

1

1etherer

Fully Optimized
Messages
1,878
Location
Earth
[FONT=&quot]Quick question (maybe)

Does cryptolocker store any files it needs to speak to C&C on the user profile of the victim?

So for e.g., if a user gets cryptovirus on their PC, and you rename their profile so a new profile is created, as some of the necessary files needed for the virus to work is on the old profile, the cryptovirus won't be able to encrypt any further files as it can't phone home anymore or as the new profile?

or does the reg keys and files hidden in elsewhere on the drive enable the virus to download new files and start encrypting the new profile[/FONT]
 
I don't know for sure - I suggest asking on reddit.com/r/asknetsec, this is just their cup of tea.
 
Yami said:
I don't know for sure - I suggest asking on reddit.com/r/asknetsec, this is just their cup of tea.
Click to expand...

I dont have an acc with them and dont really want to create one (not being rude)..

Hopefully someone will know here :cool:

I know some files are stored in %temp% user but wanted to know if the reg keys and files hidden elsewhere in the C: can download the %temp% file into a new users profile.


We'd had an attack last week, and another today with 2 different users and wanted to know.


I have just spoken to my colleague and he said it only created reg keys in the users profile, not local machine.

So there looking at ways of preventing this.


Cheers
 
As near as I can tell, crypto virus will "jump" into your network and lock up all other drives it can find. I suppose that also means any other user accounts too.
Any decent antivirus should detect any version of a crypto virus, but your files will remain encrypted. There are some keys out there from security folks that have cracked some versions, You need to check out Bleeping Computer because it looks like they are always on top of this
BleepingComputer.com - News, Reviews, and Technical Support
You must get a handle on this asap if your other pc's in your network are still getting locked
 
We have removed all these encrypted files and done a restore. but I was curious as we have a citrix environment so wanted to know how it would affect the VPCs. but it should be fine as long as the users profile is removed / recreated. The VPCs reset after the session has been closed.

All cryptolocker does is search extensions just like you would in file explorer, so anything the user has permission to, the virus will find the files and encrypt them.

So technically it doesn't "spread" but seems like it does.

We have cleared it up now but I was curious before on where the files are kept and if it could DL more files but seems thats not the case.

I think we will be blocking .exe from general users as we are receiving a high number of crypto emails atm.
 
yup.....
by "jump" I ment that crypto will look to encrypt the file extensions in it's database not only on the o.s. drive, but any other drives/partitions it can find in a pc or network that it can get access too
 
There are different variants of the crypto malware out there. Some will only affect the local system while others will indeed encrypt network devices and drives. Up to date malware definitions should be effective in removing it but you've already restored the unit.

To answer your original question, yes, if the unit is still infected it will most likely affect the new profiles as well. If you did an actual system restore versus loading a system image, you may still be infected. You should really run scans to be sure.
 
You must log in or register to reply here.

Similar threads

Trotter
Files missing from drive in external enclosure
2
Replies
18
Views
2K
PP Mguire
PP Mguire
P
Shared Folders and redirected Folders
Replies
0
Views
318
Paul Kinyanjui
P
S
Would it benefit me joining Discord chat groups?
Replies
0
Views
868
Scissorman
S
Harper
Previewing my monitor 2 on monitor 1 / Presentation Software
Replies
1
Views
609
Harper
Harper
Andrewx
Why Blogging Seems Harder in 2023
Replies
1
Views
792
fusionha
F
Back
Top Bottom