Skip to content ↓ | Skip to navigation ↓

A new variant of the CryptoLocker malware has been discovered that uses Yahoo Messenger as its delivery mechanism and is targeting Windows systems.  My friends at NSHC in Singapore and Seoul have been battling with the malware that has hit a number of financial institutions throughout Asia Pacific. The variant infects systems and  distributes itself out through contacts in Yahoo Messenger, with the payload disguised as an image.

The malicious file named “YOURS.JPG.exe” requires users to download and execute the code utilizing social engineering tactics. Once this is initiated a series of steps take place and modules are  dropped and downloaded to the system and files are encrypted on the system.

Yahoo Messenger CryptoLocker

Once  “YOURS.JPG.exe”  is executed an injector file “Omari[Rnd].exe” is put into a random directory and the original “YOURS.JPG.exe” file is then deleted via a .bat file that is also dropped and executed.


The injector file then searches through a list of processes using the Windows ‘ToolHelp’ library to find the PID of ‘explorer.exe’. The malware then gains control of explorer.exe and copies code into memory using ‘CreateRemoteThread’.

If certain conditions are met it will download an additional module that will initiate the encryption process on on the system. The new encryption module reads in files encrypts them and overwrites the original file.

Encrypt data

When the files are encrypted the user is then presented with a message explaining their files are encrypted.


The desktop then also shows the common CryptoLocker screen we have seen before:


Once the malware encrypts the data, although not impossible to decrypt, it is not practical given that the keys for each infection are different. The malware is spread through email and Yahoo Messenger, so it is important to not click on links from those you do not know, or that look suspicious.

When downloading images verify the extension is correct. Home users can download and install CryptoPrevent from Foolish IT. Given that the malware signatures continually change antivirus products have done little to mitigate the threat until it is already wide spread.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.