Threat Database Trojans Celas Trojan

Celas Trojan

By ZulaZuza in Trojans

Threat Scorecard

Ranking: 16,391
Threat Level: 90 % (High)
Infected Computers: 2
First Seen: May 22, 2012
Last Seen: July 11, 2023
OS(es) Affected: Windows

Celas Trojan Image

The Celas Trojan is a ransomware Trojan that uses a typical Winlocker approach to take over your computer. This Trojan's main strategy entails preventing you from using your computer by blocking access to Windows and displaying a message demanding the payment of a ransom. This kind of message is different depending on the ransomware attack. For example, some ransomware Trojans will claim to have been sent by law enforcement, claiming that your computer was involved in child pornography traffic while others will claim that your computer's information was locked down for 'your safety' because it was infected with a particularly dangerous virus.

The Celas Trojan’s Message

The Celas Trojan's message will say that your computer contains copyrighted audio files that were copied illegally. Since copyright laws regarding music have always been murky, this may actually be true if you have ever ripped a CD or downloaded a mp3 file online. However, it is important to note that the Celas Trojan is not associated with law enforcement in any way and that this message is just there to scare you into paying a fifty euro ransom.

Do Not Pay the Celas Trojan’s Ransom

Like the majority of the ransomware infections active today, the Celas Trojan will demand payment via Ukash or PaySafeCard. These are both legitimate money transfer services that are not involved with the Celas Trojan or other malware. The Celas Trojan message contains a section where you can enter your payment code after you pay the ransom. However, ESG malware researchers recommend against believing the Celas Trojan's message and paying its ransom. Apart from being a waste of your money, you have no guarantee that the criminals behind the Celas Trojan will actually disable this ransomware infection once you have paid the ransom.

Removing the Celas Trojan from Your Computer

A fully updated anti-malware program should be able to remove the Celas Trojan with few problems. However, the main issue with removing a ransomware infection is gaining access to your computer system in the first place. After all, how can you access your anti-malware software if the Celas Trojan blocks access to your desktop, Task Manager, command line, and other Windows components? Fortunately, you can bypass the Celas Trojan message by starting up your computer system from an alternative boot source (such as an external memory drive) or, in some systems, by starting up in Safe Mode.Screenshot

File System Details

Celas Trojan may create the following file(s):
# File Name Detections
1. %AppData%\[RANDOM TROJAN NAME].exe
2. %StartupFolder%\wpbt0.dll
3. %StartupFolder%\ch810.exe
4. %AppData%\[RANDOM TROJAN NAME]\toolbardtx.ini
5. %AppData%\[RANDOM TROJAN NAME]\toolbarguid.dat
6. %AppData%\[RANDOM TROJAN NAME]\toolbarstats.dat
7. %AppData%\[RANDOM TROJAN NAME]\toolbarstat.log
8. %AppData%\[RANDOM TROJAN NAME]\toolbarpreferences.dat
9. %AppData%\[RANDOM TROJAN NAME]\toolbaruninstallIE.dat
10. %AppData%\[RANDOM TROJAN NAME]\toolbarversion.xml
11. %AppData%\[RANDOM TROJAN NAME]\toolbarlog.txt
12. %AppData%\[RANDOM TROJAN NAME]\toolbaruninstallStatIE.dat

Registry Details

Celas Trojan may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\[RANDOM TROJAN NAME]\IEHelper.DNSGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\[RANDOM TROJAN NAME]\IEHelper.DNSGuardCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\ExplorerBrowser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7} "[RANDOM TROJAN NAME] Toolbar"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\[RANDOM TROJAN NAME]\IEHelper.DNSGuardCurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftInternet ExplorerToolbar\ "[RANDOM TROJAN NAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\[RANDOM TROJAN NAME]\IEHelper.DNSGuard.1

Messages

The following messages associated with Celas Trojan were found:

Celas
Access to your computer was denied.
Illegally downloaded music tracks [in other words, “pirated copies”] have been detected at your PC.
While being downloaded the before mentioned tracks were copied – that’s also a criminal offense in conformity with Section 106 of Digital Millennium
Copyright Act.

Trending

Most Viewed

Loading...