CoronaLocker Trojan

CoronaLocker is a trojan that is designed to inconvenience users instead of causing damage.

At the time of publication, it is unclear how CoronaLocker is delivered, although there are unconfirmed reports it is distributed disguised as a fake WiFi hacking tool via third-party hosting sites.

Once installed, CoronaLocker will alter registry keys in order to disable common user interfaces including the Windows Start menu and the Run command. It then reboots the affected system, displaying a lock screen to the user and demanding a ransom. It will also use Window’s speech synthesis function to repeat the phrase “corona virus”.

Despite claiming to encrypt files, there is no evidence CoronaLocker alters user files in any way.

Indicators of Compromise

Email Addresses

MD5 File Hashes

  • 09387dad1341f534ad51966168c0e4af

SHA1 File Hashes

  • 39a58879b0327145f5eb94caa83227564b11abde

SHA256 File Hashes

  • 01157c3e056d2040250598bc9b4aac8b4ad8b7f2c595381d320290dd79b8317d

Remediation

CoronaLocker’s lock screen can be bypassed by typing “vb” into the dialogue box. To re-enable registry editing, run the following command as an administrator in Command Prompt:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /t Reg_dword /v DisableRegistryTools /f /d 0

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: