Vulnerability Management

New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger

A new variant of the CryptoLocker malware has been discovered that uses Yahoo Messenger as its delivery mechanism and is targeting Windows systems.  My friends at NSHC in Singapore and Seoul have been battling with the malware that has hit a number of financial institutions throughout Asia Pacific. The variant infects systems and  distributes itself out through contacts in Yahoo Messenger, with the payload disguised as an image.

The malicious file named “YOURS.JPG.exe” requires users to download and execute the code utilizing social engineering tactics. Once this is initiated a series of steps take place and modules are  dropped and downloaded to the system and files are encrypted on the system.

Yahoo Messenger CryptoLocker

Once  “YOURS.JPG.exe”  is executed an injector file “Omari[Rnd].exe” is put into a random directory and the original “YOURS.JPG.exe” file is then deleted via a .bat file that is also dropped and executed.


The injector file then searches through a list of processes using the Windows ‘ToolHelp’ library to find the PID of ‘explorer.exe’. The malware then gains control of explorer.exe and copies code into memory using ‘CreateRemoteThread’.

If certain conditions are met it will download an additional module that will initiate the encryption process on on the system. The new encryption module reads in files encrypts them and overwrites the original file.

Encrypt data

When the files are encrypted the user is then presented with a message explaining their files are encrypted.


The desktop then also shows the common CryptoLocker screen we have seen before:


Once the malware encrypts the data, although not impossible to decrypt, it is not practical given that the keys for each infection are different. The malware is spread through email and Yahoo Messenger, so it is important to not click on links from those you do not know, or that look suspicious.

When downloading images verify the extension is correct. Home users can download and install CryptoPrevent from Foolish IT. Given that the malware signatures continually change antivirus products have done little to mitigate the threat until it is already wide spread.


Previous post

How Target's Point-of-Sale System May Have Been Hacked

Next post

Create iPhone Rootkits Like You're the NSA

Ken Westin

Ken Westin

Your Pundit of Paranoia