Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.C [Threat Variant Name]
| Category | trojan,worm |
| Size | 15872 B |
| Aliases | Trojan:Win32/Gpcode.H (Microsoft) |
| Mal/Behav-116 (Sophos) | |
| Win32.Generic.ON (AVG) |
Short description
Win32/Filecoder.C is a trojan that encrypts files on local drives. To decrypt files the user is requested to send an SMS message to a specified telephone number in exchange for a password/instructions.
Installation
The trojan does not create any copies of itself.
The following file is dropped into the %windir% folder:
- CryptLogFile.txt
Payload information
Win32/Filecoder.C is a trojan that encrypts files on local drives.
The trojan searches local drives for files with the following file extensions:
- .ace
- .bmp
- .cdr
- .djvu
- .doc
- .docm
- .docx
- .eps
- .gif
- .jpeg
- .jpg
- .lnk
- .max
- .mp3
- .msi
- .png
- .ppd
- .pps
- .ppsx
- .ppt
- .pptx
- .psd
- .rar
- .rtf
- .tif
- .tif
- .tiff
- .txt
- .wma
- .xls
- .xlsm
- .xlsx
- .xml
- .zip
The trojan encrypts the file content.
The trojan creates the following file:
- %systemdrive%\Прочти Меня - как расшифровать файлы.txt
It contains the following text:
- Внимание!
- Файлы заблокированы!
- Чтобы разблокировать, отправь SMS на номер 8385 с текстом "cwm545" (без кавычек).
The encrypted files can be returned to their original state using the following command:
- %malwarepath% 112211