Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.C [Threat Variant Name]

Category trojan,worm
Size 15872 B
Detection created Oct 21, 2009
Detection database version 0.11002
Aliases Trojan:Win32/Gpcode.H (Microsoft)
  Mal/Behav-116 (Sophos)
  Win32.Generic.ON (AVG)
Short description

Win32/Filecoder.C is a trojan that encrypts files on local drives. To decrypt files the user is requested to send an SMS message to a specified telephone number in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


The following file is dropped into the %windir% folder:

  • CryptLogFile.txt
Payload information

Win32/Filecoder.C is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .ace
  • .bmp
  • .cdr
  • .djvu
  • .doc
  • .docm
  • .docx
  • .eps
  • .gif
  • .jpeg
  • .jpg
  • .lnk
  • .max
  • .mp3
  • .msi
  • .pdf
  • .png
  • .ppd
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .psd
  • .rar
  • .rtf
  • .tif
  • .tif
  • .tiff
  • .txt
  • .wma
  • .xls
  • .xlsm
  • .xlsx
  • .xml
  • .zip

The trojan encrypts the file content.


The trojan creates the following file:

  • %systemdrive%\­Прочти Меня - как расшифровать файлы.txt

It contains the following text:

  • Внимание!
  • Файлы заблокированы!
  • Чтобы разблокировать, отправь SMS на номер 8385 с текстом "cwm545" (без кавычек).

The encrypted files can be returned to their original state using the following command:

  • %malwarepath% 112211

Please enable Javascript to ensure correct displaying of this content and refresh this page.