The Rise of Backdoor-FCKQ (CTB-Locker)

By and on Jan 21, 2015

By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek)

In the McAfee Labs Threats Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust.” Indeed almost every threat measured saw notable increases in Q3 that pointed to a rather ominous 2015.  There was, however, one notable exception: ransomware.


The preceding figure provided a respite against the threat of ransomware, but as foreseen in the McAfee Labs Threats Predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”

For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) now distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc. 


“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files on the target system.

It copies itself to the following folder:

  • %temp%< 7 random characters>.exe
  • %temp%\wkqifwe.exe

It also creates a job task containing seven random characters:

  • %windir%\Tasks\cderkbm.job

The following registry keys are added to the system:

  • %ALLUSERSPROFILE%\Application Data\Microsoft\<7 random characters>

It injects code into svchost.exe, and svchost.exe will launch files from the following:

  • %temp%\<7 random characters>.exe

The code injected into svchost.exe will encrypt files with the following extensions:

  • .pdf
  • .xls
  • .ppt
  • .txt
  • .py
  • .wb2
  • .jpg
  • .odb
  • .dbf
  • .md
  • .js
  • .pl

Once a system is infected, the malware displays the following image:


The newly created process creates a mutex named:

  • \BaseNamedObjects\lyhrsugiwwnvnn

An interesting angle in this new round of Backdoor-FCKQ malware is the use of the well-known downloader Dalexis. There are several versions of this downloader. A simple query in our internal database resulted in more than 900 hits of this downloader and variants of it. To circumvent antispam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.

The function of the downloader is to download additional malware from certain locations, unpack the Xor-coded malware, and execute it. In this case the additional malware, the CTB, was packed in the file pack.tar.gz:

code 1Figure 1: pack.tar.gz.

As we can see from the preceding screenshot, there’s no file header present that represents a known file type. For example, if this were an executable file, the first two characters (aka the magic number) would have been “MZ.” This is one of the ways in which malware authors try to circumvent gateway detection of malware. Some other tricks we have seen frequently recently is to put the payload of the malware on Pastebin or Github.

In this case, pack.tar.gz used different XOR keys to encrypt parts of the file. Once this puzzle was cracked, the unpacked code of Backdoor-FCKQ is revealed:

code 2Figure 2: Unpacked code of Backdoor-FCKQ.

With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, we immediately recognized code parts.

As a quick Yara detection rule, the following can be used:

code 3

Bitcoin trail

While tracing the Bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.


All users: Use current engine and DAT files for detection and removal.

Modifications made to the system registry and/or INI files to hook system start-up will be successfully removed if cleaning with the recommended engine and DAT combination (or later versions).

A special thanks to Sanchit Karve for his assistance in the analysis.

About the Author

Raj Samani

Raj Samani is Chief Scientist and Fellow for the Enterprise business. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of ...

Read more posts from Raj Samani

Christiaan Beek

Christiaan Beek is the Lead Scientist & Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and ...

Read more posts from Christiaan Beek

  1. Hi everyone,

    We advise keeping your system up to date as the latest updates will protect against this form of ransomware. At present there is no decryption capability however we are working closely with law enforcement agencies and industry partners to explore ways in which decryption is possible for this growing threat. For further support, please visit us at

    – McAfee. Part of Intel Security.

  2. Elton, there is no hope for you. The encryption is what the virus does. Removal of the virus is the only thing you can do. The files will remain encrypted for good and you will not be able to crack the encryption as it is very powerful encryption. In a slightly more perfect world, one would be able to pay the ransom and have them restore your files, but that isn't guaranteed whatsoever.

  3. Please suggest a way out of the encrypted files by this ransomware. We're unable to make payments or decrypt important files from our systems. There is no backup of these files. Is there a way to get McAfee support us in resolving this mess?

  4. Elton
    I'm sorry that i have to inform you, but there&amp;apos;s no method to decrypt the files. The only thing you can do to save the files on which one the virus was failed and do a format C. I have seen an infection where outlook.pst was clean, maybe it&amp;apos;s user was lucky when she was closing the Outlook after the virus had finished the job. I&amp;apos;ve tried a sample on a virtual machine and found that files with renamed extensions were also in safe and when the encryption has finished the PC was safe to work with files so encryption was not running further. So again, you are unable to decrypt your files without the key which was sent to the cyber criminals.

  5. we have the same problem, we can't decrypt any file crypted by the virus
    is there any tools to solve this problem
    we are MCaffe Client we have MCaffe Virus Scan + AntiSpyware 8.8
    more the then PC are infected
    Please help us!!!!!

  6. I have the same problem. I have an updated version of Mcafee but it did not succeeded in protecting my pc. Are you planning to suggest something for the de-encryption?Thanks

  7. hi there

    please assist we are trying to restore all encrypted files from a virus attack from CTB-locker.
    we have removed the virus however ALL files have been encrypted eg. XLS.KLXFUXE
    is there a method or program you can suggest we use to decrypt these files as we have no backups and cant restore previous versions of any file.
    the antivirus that was on the computer before the attack was Mcafee Internet Security 2015.

    • Hi Elton- Thanks for the comment. Christiaan Beek has sent you a personal email at the address you provided.

Similar Blogs

Subscribe to McAfee Securing Tomorrow Blogs