Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.AH [Threat Variant Name]

Category trojan
Size 70656 B
Aliases Trojan:.Win32/Encriyoko.A (Microsoft)
Short description

Win32/Filecoder.AH is a trojan that encrypts files on local drives. The trojan is usually a part of other malware. The file is run-time compressed using PE Compact .

Installation

The trojan does not create any copies of itself.

Payload information

Win32/Filecoder.AH is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .c
  • .cpp
  • .cs
  • .php
  • .java
  • .pas
  • .vb
  • .frm
  • .bas
  • .go
  • .asp,
  • .aspx
  • .jsp
  • .pl
  • .py
  • .rb
  • .jpg
  • .png
  • .psd
  • .wav
  • .wma
  • .amr
  • .awb
  • .rar
  • .zip
  • .iso
  • .gz
  • .7z

The trojan searches for files which contains any of the following strings in its file name:

  • doc
  • xls
  • ppt
  • mdb
  • pdf
  • dw
  • dx
  • sh
  • pic
  • 111
  • win
  • wvw
  • drw
  • grp
  • rpl
  • mce
  • mcg
  • pag

Only folders which do not contain one of the following string in their path are searched:

  • windows
  • program files
  • local settings
  • programdata
  • ravbin
  • krecycle

The trojan encrypts the file content.

Other information

The trojan saves the list of encrypted files into the following file:

  • %temp%\­vxsur.bin

The trojan saves the password into the following file:

  • %temp%\­nepia.dud

The encryption uses the "Blowfish" algorithm.

Please enable Javascript to ensure correct displaying of this content and refresh this page.