Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.NBR [Threat Variant Name]

Category trojan
Size 531351 B
Detection created May 06, 2014
Detection database version 10223
Aliases Trojan-Ransom.Win32.CryFile.vji (Kaspersky)
  Ransom:Win32/Genasom (Microsoft)
Short description

Win32/Filecoder.NBR is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan creates the following files:

  • C:\­tempik\­gene.exe (3072 B, Win32/Filecoder.NBR)
  • C:\­tempik\­hilo.exe (2560 B)
  • C:\­tempik\­moar.exe (13824 B, Win32/Filecoder.NBR)
  • C:\­tempik\­pgp.exe (246784 B)
  • C:\­tempik\­pubring.pgp (310 B)
  • C:\­tempik\­pusk.bat (535 B, BAT/Filecoder.AP)
  • C:\­tempik\­randseed.bin (408 B)
  • C:\­tempik\­Rar.exe (488024 B)
  • C:\­tempik\­zep.exe (2560 B)

The files are then executed.


The trojan may create the following files:

  • C:\­tempik\­apr
  • C:\­tempik\­pa
  • C:\­tempik\­pa.asc

The trojan may delete the following files:

  • C:\­tempik\­pa

The trojan displays the following dialog box:

Payload information

Win32/Filecoder.NBR is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .1cd
  • .4db
  • .4dd
  • .adp
  • .arw
  • .cdr
  • .cdx
  • .cer
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .doc
  • .docx
  • .dwg
  • .dxb
  • .dxg
  • .eps
  • .grs
  • .jpeg
  • .jpg
  • .mdb
  • .mdf
  • .mdf
  • .MDP
  • .mrw
  • .odp
  • .pdd
  • .pdf
  • .pdm
  • .pek
  • .ppt
  • .psd
  • .pst
  • .ptx
  • .raf
  • .rar
  • .rtf
  • .sps
  • .srw
  • .tif
  • .txt
  • .wdb
  • .wps
  • .xls
  • .xml
  • .zip

The trojan encrypts the file content.


The trojan executes the following command:

  • rar.exe a -e -p%password% -dw %file%.Rar %file%

An additional ".Rar" extension is appended.


The following file is dropped:

  • %currentfolder%\­!!Закодиpован_%username%

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Please enable Javascript to ensure correct displaying of this content and refresh this page.