Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.B [Threat Variant Name]

Category trojan,worm
Size 535552 B
Detection created Jul 30, 2009
Signature database version 4290
Aliases Trojan.Win32.Refroso.bex (Kaspersky)
  Trojan.Horse (Symantec)
  BackDoor-EBI (McAfee)
Short description

Win32/Filecoder.B is a trojan which deletes files with specific file extensions.

Installation

The trojan does not create any copies of itself.


The trojan creates the following folders:

  • c:\­vsworkdir\­

The following files are dropped into the c:\vsworkdir\ folder:

  • CSCA1.DLL (3072 B)
  • shantazh.jpg (90780 B)

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "ConvertedWallpaper" = "c:\­vsworkdir\­shantazh.jpg"
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop\­ConvertedWallpaper]
    • "Last WriteTime" = "%hex_value%"
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Pattern" = ""
Payload information

The trojan searches local drives for files with the following file extensions:

  • .3gp
  • .7z
  • .doc
  • .eml
  • .htm
  • .html
  • .jpeg
  • .jpg
  • .pdf
  • .php
  • .rar
  • .rtf
  • .txt
  • .xls
  • .zip

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file name and extension of the newly created file is derived from the original one. An additional ".vscrypt" extension is appended.


The trojan encrypts the file content.


The trojan then deletes found files.

Other information

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • The Wireshark Network Analyzer
  • Process Monitor - Sysinternals: www.sysinternals.com
  • File Monitor - Sysinternals: www.sysinternals.com
  • Registry Monitor - Sysinternals: www.sysinternals.com

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.