BAT/Filecoder [Threat Name] go to Threat

BAT/Filecoder.AQ [Threat Variant Name]

Category trojan
Size 8356 B
Aliases Trojan-Ransom.BAT.Agent.ar (Kaspersky)
  BAT.Encoder.46 (Dr.Web)
  BV:Agent-AUQ (Avast)
Short description

BAT/Filecoder.AQ is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan tries to download several files from the Internet.


The files are stored in the following locations:

  • %currentfolder%\­pgp.exe
  • %currentfolder%\­pubring.pgp
  • %currentfolder%\­randseed.bin
  • %currentfolder%\­pgp.bat
  • %currentfolder%\­Rar.exe
  • %currentfolder%\­wsystem.bat
  • C:\­qtemp\­hid.vbs

The trojan creates the following files:

  • %currentfolder%\­pass
  • %currentfolder%\­pass.asc
  • C:\­qtemp\­push.vbs

The trojan executes the following files:

  • %currentfolder%\­pgp.bat
  • C:\­qtemp\­push.vbs
  • C:\­qtemp\­hid.vbs

The trojan tries to move file (source, destination):

  • %currentfolder%\­pass, C:\­qtemp\­pass
  • %currentfolder%\­pass.asc, C:\­qtemp\­pass.asc
  • %currentfolder%\­Rar.exe, C:\­qtemp\­Rar.exe
  • %currentfolder%\­wsystem.bat, C:\­qtemp\­wsystem.bat

The trojan may delete the following files:

  • %currentfolder%\­pgp.bat
  • %currentfolder%\­pgp.exe
  • %currentfolder%\­pubring.pgp
  • %currentfolder%\­randseed.bin
  • C:\­qtemp\­pass
Payload information

The trojan encrypts files on local disks.


The trojan searches local drives for files with the following file extensions:

  • .1CD
  • .4db
  • .4dd
  • .adp
  • .arw
  • .cdr
  • .cdx
  • .cer
  • .dbf
  • .doc
  • .dwg
  • .dxb
  • .eps
  • .jpeg
  • .jpg
  • .lzh
  • .mbd
  • .mdb
  • .mdf
  • .odb
  • .pdd
  • .pdf
  • .pdm
  • .pek
  • .pfx
  • .ppt
  • .psd
  • .rtf
  • .sql
  • .tif
  • .txt
  • .wbd
  • .wps
  • .xld
  • .xls
  • .xml
  • .zip

The trojan executes the following command:

  • C:\­qtemp\­rar.exe  a -dw -p%password% "%file%".rAr "%file%"

The extension of the encrypted files is changed to:

  • .rAr

The trojan creates the following file:

  • %file%.read

It contains the following text:

  • -----BEGIN PGP MESSAGE-----
  • Version: 2.6.3i
  • hIwDhcZgxQxzJm0BBACSQjEpymig33nAKwaCN6pFASejRiZesFtbKgc5KOtVI82Z
  • %removed%Q1ebscDATluw9TiDtW0DQ/5ewg==
  • %removed%
  • -----END PGP MESSAGE-----
  • Инф-ия блокирована. Стоимость возвращения в исходное состояние десять тысяч p
  • Для возвращения инф-ии в исходный вид пришлите на эл. почту 2 файла:
  • Первый файл - который сейчас читаете; второй - один файл с расширением rAr небольшого размера
  • Обратно придет оригинальный файл и способ оплаты
  • После завершения расчетов придет программа для восстановления данных и пароль на все файлы
  • %removed%@gmail.com

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan may display a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.