Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.NAG [Threat Variant Name]

Category trojan
Size 388463 B
Detection created Aug 11, 2012
Detection database version 7377
Aliases PWS-Zbot.gen.adc.trojan (McAfee)
  Trojan.Gen (Symantec)
  Variant.Symmi.352 (BitDefender)
Short description

Win32/Filecoder.NAG is a trojan that encrypts files on local drives.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­sowldrv.exe

The trojan creates the following files:

  • %appdata%\­ok.txt.arest (28 B)
  • %appdata%\­WARNING.txt (1792 B)
  • %appdata%\­ok.bat
  • %affectedfolder%\­WARNING.txt (1792 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ChpPrintUpdate" = "%appdata%\­sowldrv.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "id" = %data%
    • "ip" = %data%
Payload information

Win32/Filecoder.NAG is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .txt
  • .xls
  • .xlw
  • .docx
  • .doc
  • .cer
  • .key
  • .rtf
  • .xlsm
  • .xlsx
  • .xlc
  • .docm
  • .xlk
  • .htm
  • .chm
  • .text
  • .ppt
  • .djvu
  • .pdf
  • .lzo
  • .djv
  • .cdx
  • .cdt
  • .cdr
  • .bpg
  • .xfm
  • .dfm
  • .pas
  • .dpk
  • .dpr
  • .frm
  • .vbp
  • .php
  • .js
  • .wri
  • .css
  • .asm
  • .html
  • .jpg
  • .dbx
  • .dbt
  • .dbf
  • .odc
  • .mde
  • .mdb
  • .sql
  • .abw
  • .pab
  • .vsd
  • .xsf
  • .xsn
  • .pps
  • .lzh
  • .pgp
  • .arj
  • .gzip
  • .gz
  • .pst
  • .xl

The trojan encrypts the file content.


An additional ".arest" extension is appended.


The encryption uses the AES algorithm.


The password is stored on the attacker server.


It tries to connect to remote machine to port:

  • 43359

The trojan contains a list of (1) IP addresses. The TCP protocol is used.


The trojan displays the following dialog boxes:

When the user enters correct password the trojan will decrypt encrypted files and remove itself from affected copmputer.

Other information

The trojan terminates any program that creates a window containing any of the following strings in its name:

  • Windows Task Manager
  • ƒиспетчер задач Windows
  • –едактор реестра

Please enable Javascript to ensure correct displaying of this content and refresh this page.