Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.AE [Threat Variant Name]

Available cleaner [Download Filecoder.AE Cleaner ]

Category trojan
Size 462848 B
Detection created Mar 14, 2012
Signature database version 6966
Aliases Trojan-Ransom.Win32.Turian.a (Kaspersky)
Short description

Win32/Filecoder.AE is a trojan that encrypts files on local drives. The trojan is probably a part of other malware.

Installation

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. It tries to download several files from the address.


These are stored in the following locations:

  • %programfiles%\­%variable1%\­%variable2%\­ExDir.dat
  • %programfiles%\­%variable1%\­%variable2%\­masks.dat

The HTTP protocol is used.


The trojan may create copies of itself using the following filenames:

  • %programfiles%\­%variable1%\­%variable2%\­%malwarefilename%

A string with variable content is used instead of %malwarefilename% .


The trojan may execute the following commands:

  • netsh firewall add allowedprogram "%programfiles%\­%variable1%\­%variable2%\­%malwarefilename%" ENABLE

The performed command creates an exception in the Windows Firewall.


The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­.%variable3%]
    • "(Default)" = "Encrypted file"
  • [HKEY_CLASSES_ROOT\­%variable3%\­DefaultIcon]
    • "(Default)" = "%programfiles%\­%variable1%\­%variable2%\­%malwarefilename%,0"
  • [HKEY_CLASSES_ROOT\­%variable3%\­Shell]
    • "(Default)" = "Default"
  • [HKEY_CLASSES_ROOT\­%variable3%\­Shell\­Default]
    • "(Default)" = "Decrypt file"
  • [HKEY_CLASSES_ROOT\­%variable3%\­Shell\­Default\­command]
    • "(Default)" = "%programfiles%\­%variable1%\­%variable2%\­%malwarefilename% %1"

A string with variable content is used instead of %variable1-3% .

Payload information

Win32/Filecoder.AE is a trojan that encrypts files on local drives.


Criteria for file(s) encryption are stored usually in the following configuration files:

  • %programfiles%\­%variable1%\­%variable2%\­ExDir.dat
  • %programfiles%\­%variable1%\­%variable2%\­masks.dat

To decrypt files the user is asked to send information/certain amount of money via Onpay.ru payment service.


The trojan displays the following dialog box:

Other information

The trojan needs following files to run:

  • account.cfg
  • config.cfg

Please enable Javascript to ensure correct displaying of this content and refresh this page.