Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.BQ [Threat Variant Name]

Category trojan
Size 719360 B
Detection created Sep 07, 2013
Signature database version 10459
Aliases Trojan-Ransom.Win32.Blocker.cggx (Kaspersky)
  Trojan:Win32/Crilock.A (Microsoft)
  Trojan.Gpcoder.G (Symantec)
  TROJ_CRILOCK.AA (TrendMicro)
  CryptoLocker
Short description

Win32/Filecoder.BQ is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the MoneyPak, Ukash, cashU, Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­{%clsid%}.exe

The file is then executed.


A string with variable content is used instead of %clsid% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "CryptoLocker" = "%appdata%\­{%clsid%}.exe"

The trojan displays the following dialog box:

Some examples follow.

After the installation is complete, the trojan deletes the original executable file.

Payload information

Win32/Filecoder.BQ is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • *.odt
  • *.ods
  • *.odp
  • *.odm
  • *.odc
  • *.odb
  • *.doc
  • *.docx
  • *.docm
  • *.wps
  • *.xls
  • *.xlsx
  • *.xlsm
  • *.xlsb
  • *.xlk
  • *.ppt
  • *.pptx
  • *.pptm
  • *.mdb
  • *.accdb
  • *.pst
  • *.dwg
  • *.dxf
  • *.dxg
  • *.wpd
  • *.rtf
  • *.wb2
  • *.mdf
  • *.dbf
  • *.psd
  • *.pdd
  • *.eps
  • *.ai
  • *.indd
  • *.cdr
  • ????????.jpg
  • ????????.jpe
  • img_*.jpg
  • *.dng
  • *.3fr
  • *.arw
  • *.srf
  • *.sr2
  • *.bay
  • *.crw
  • *.cr2
  • *.dcr
  • *.kdc
  • *.erf
  • *.mef
  • *.mrw
  • *.nef
  • *.nrw
  • *.orf
  • *.raf
  • *.raw
  • *.rwl
  • *.rw2
  • *.r3d
  • *.ptx
  • *.pef
  • *.srw
  • *.x3f
  • *.der
  • *.cer
  • *.crt
  • *.pem
  • *.pfx
  • *.p12
  • *.p7b
  • *.p7c

The trojan encrypts the file content.


The AES, RSA encryption algorithm is used.


The password is stored on the attacker's server.


To decrypt files, the user is asked to send information/certain amount of money via the MoneyPak, Ukash, cashU, Bitcoin payment service.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The trojan generates various URL addresses. The HTTP protocol is used.


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­CryptoLocker\­VersionInfo]
  • [HKEY_CURRENT_USER\­Software\­CryptoLocker\­PublicKey]
  • [HKEY_CURRENT_USER\­Software\­CryptoLocker\­PrivateKey]
  • [HKEY_CURRENT_USER\­Software\­CryptoLocker\­Files]

Please enable Javascript to ensure correct displaying of this content and refresh this page.