Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.AH [Threat Variant Name]
Category | trojan |
Size | 70656 B |
Aliases | Trojan:.Win32/Encriyoko.A (Microsoft) |
Short description
Win32/Filecoder.AH is a trojan that encrypts files on local drives. The trojan is usually a part of other malware. The file is run-time compressed using PE Compact .
Installation
The trojan does not create any copies of itself.
Payload information
Win32/Filecoder.AH is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- .c
- .cpp
- .cs
- .php
- .java
- .pas
- .vb
- .frm
- .bas
- .go
- .asp,
- .aspx
- .jsp
- .pl
- .py
- .rb
- .jpg
- .png
- .psd
- .wav
- .wma
- .amr
- .awb
- .rar
- .zip
- .iso
- .gz
- .7z
The trojan searches for files which contains any of the following strings in its file name:
- doc
- xls
- ppt
- mdb
- dw
- dx
- sh
- pic
- 111
- win
- wvw
- drw
- grp
- rpl
- mce
- mcg
- pag
Only folders which do not contain one of the following string in their path are searched:
- windows
- program files
- local settings
- programdata
- ravbin
- krecycle
The trojan encrypts the file content.
Other information
The trojan saves the list of encrypted files into the following file:
- %temp%\vxsur.bin
The trojan saves the password into the following file:
- %temp%\nepia.dud
The encryption uses the "Blowfish" algorithm.