Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.AE [Threat Variant Name]

Category	trojan
Size	462848 B
Aliases	Trojan-Ransom.Win32.Turian.a (Kaspersky)

Win32/Filecoder.AE is a trojan that encrypts files on local drives. The trojan is probably a part of other malware.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. It tries to download several files from the address.

These are stored in the following locations:

The HTTP protocol is used.

The trojan may create copies of itself using the following filenames:

A string with variable content is used instead of %malwarefilename% .

The trojan may execute the following commands:

netsh firewall add allowedprogram "%programfiles%\%variable1%\%variable2%\%malwarefilename%" ENABLE

The performed command creates an exception in the Windows Firewall.

The following Registry entries are created:

[HKEY_CLASSES_ROOT\.%variable3%]
- "(Default)" = "Encrypted file"
[HKEY_CLASSES_ROOT\%variable3%\DefaultIcon]
- "(Default)" = "%programfiles%\%variable1%\%variable2%\%malwarefilename%,0"
[HKEY_CLASSES_ROOT\%variable3%\Shell]
- "(Default)" = "Default"
[HKEY_CLASSES_ROOT\%variable3%\Shell\Default]
- "(Default)" = "Decrypt file"
[HKEY_CLASSES_ROOT\%variable3%\Shell\Default\command]
- "(Default)" = "%programfiles%\%variable1%\%variable2%\%malwarefilename% %1"

A string with variable content is used instead of %variable1-3% .

Win32/Filecoder.AE is a trojan that encrypts files on local drives.

Criteria for file(s) encryption are stored usually in the following configuration files:

To decrypt files the user is asked to send information/certain amount of money via Onpay.ru payment service.

The trojan displays the following dialog box:

The trojan needs following files to run: