Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.Q [Threat Variant Name]

Available cleaner [Download Filecoder.Q Cleaner ]

Category trojan
Size 10752 B
Detection created Dec 26, 2010
Signature database version 10006
Aliases Trojan-Ransom.Win32.Xorist.bl (Kaspersky)
  Trojan.Encoder.94 (Dr.Web)
Short description

Win32/Filecoder.Q is a trojan that encrypts files on local drives. To decrypt files the user is requested to send an SMS message to a specified telephone number in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­Once80hZ5rGdP5v.exe

The trojan creates the following files:

  • %drive%\­HOW TO DECRYPT FILES.txt
  • %drive%\­КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt

The trojan writes the following entries to the file:

Внимание! Все Ваши файлы зашифрованы! Чтобы восстановить свои файлы и получить к ним доступ, отправьте смс с текстом XXXX на номер YYYY У вас есть N попыток ввода кода. При превышении этого количества, все данные необратимо испортятся. Будьте внимательны при вводе кода!

The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­.EnCrYpTeD]
    • "(Default)" = "GUKTBGWHTVSZAZZ"
  • [HKEY_CLASSES_ROOT\­GUKTBGWHTVSZAZZ]
    • "(Default)" = "CRYPTED!"
  • [HKEY_CLASSES_ROOT\­GUKTBGWHTVSZAZZ\­DefaultIcon]
    • "(Default)" = "%temp%\­Once80hZ5rGdP5v.exe, 0"
  • [HKEY_CLASSES_ROOT\­GUKTBGWHTVSZAZZ\­shell\­open\­command]
    • "(Default)" = "%temp%\­Once80hZ5rGdP5v.exe"
Payload information

Win32/Filecoder.Q is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .zip
  • .rar
  • .7z
  • .tar
  • .gzip
  • .jpg
  • .jpeg
  • .psd
  • .cdr
  • .dwg
  • .max
  • .bmp
  • .gif
  • .png
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .txt
  • .pdf
  • .djvu
  • .htm
  • .html
  • .mdb
  • .cer
  • .p12
  • .pfx
  • .kwm
  • .pwm
  • .1cd
  • .md
  • .mdf
  • .dbf
  • .odt
  • .vob
  • .ifo
  • .lnk
  • .torrent
  • .mov
  • .m2v
  • .3gp
  • .mpeg
  • .mpg
  • .flv
  • .avi
  • .mp4
  • .wmv
  • .divx
  • .mkv
  • .mp3
  • .wav
  • .flac
  • .ape
  • .wma
  • .ac3

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file name and extension of the newly created file is derived from the original one.


An additional ".EnCrYpTeD" extension is appended.


The trojan then deletes found files.

Other information

The trojan displays the following dialog boxes:

Please enable Javascript to ensure correct displaying of this content and refresh this page.