Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.R [Threat Variant Name]

Available cleaner [Download Filecoder.R Cleaner ]

Category trojan
Size 367503 B
Detection created Feb 04, 2011
Signature database version 5845
Aliases Trojan-Ransom.Win32.Rector.aw (Kaspersky)
  Ransom!dk.trojan (McAfee)
  Trojan:Win32/Comame (Microsoft)
Short description

Win32/Filecoder.R is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan creates the following files:

  • C:\­Program Files\­Adobe Systems,inc\­Adobe Flash Video\­svchost.exe (659456 B, Win32/Filecoder.R)
  • C:\­Program Files\­Adobe Systems,inc\­Adobe Flash Video\­mess.bat (76 B, Win32/Filecoder.R)
  • C:\­Program Files\­Adobe Systems,inc\­Adobe Flash Video\­site.bat (59 B, Win32/Filecoder.R)
  • C:\­Program Files\­Adobe Systems,inc\­Adobe Flash Video\­mmm.bat (17 B)
  • C:\­hehe.jpg (156286 B)
  • %currentfolder%\­mmm.bat (17 B)
  • %startup%\­inf.txt (135 B)

The files are then executed.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE]
    • "oplata" = "1"

After the installation is complete, the trojan deletes the original executable file.

Payload information

Win32/Filecoder.R is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .3gp
  • .7z
  • .chm
  • .doc
  • .docx
  • .dot
  • .dpr
  • .eml
  • .htm
  • .html
  • .iso
  • .jbc
  • .jpeg
  • .jpg
  • .mif
  • .mmm
  • .mp4
  • .pdf
  • .php
  • .pot
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .rar
  • .rtf
  • .txt
  • .vb
  • .vbp
  • .xls
  • .zip

The trojan encrypts the file content.


Only following folders are searched:

  • c:\­
  • d:\­
  • e:\­
  • f:\­

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan opens the following URLs in Internet Explorer :

  • http://fileback.totalh.com/

The trojan displays the following picture:

Please enable Javascript to ensure correct displaying of this content and refresh this page.