Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.CZ [Threat Variant Name]
Category | trojan |
Size | 13824 B |
Aliases | Trojan.Gen (Symantec) |
Short description
Win32/Filecoder.CZ is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan creates the following file:
- %temp%\sd.vbs
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "gpc" = "%temp%\sd.vbs"
After the installation is complete, the trojan deletes the original executable file.
Payload information
Win32/Filecoder.CZ is a trojan that encrypts files on local drives.
The trojan searches local drives for files with the following file extensions:
- .7z
- .abk
- .abd
- .acad
- .arh
- .arj
- .ace
- .arx
- .asm
- .bz
- .bz2
- .bak
- .bcb
- .c
- .cc
- .cdb
- .cdw
- .cdr
- .cer
- .cgi
- .chm
- .cnt
- .cpp
- .css
- .csv
- .db
- .db1
- .db2
- .db3
- .db4
- .dba
- .dbb
- .dbc
- .dbd
- .dbe
- .dbf
- .dbt
- .dbm
- .dbo
- .dbq
- .dbx
- .dco
- .djvu
- .doc
- .docx
- .docm
- .dotx
- .dotm
- .dok
- .dpr
- .dwg
- .dxf
- .ebd
- .eml
- .eni
- .ert
- .fax
- .fb2
- .flb
- .frm
- .frt
- .frx
- .frg
- .gtd
- .gz
- .gzip
- .gfa
- .gfr
- .gfd
- .gif
- .h
- .hnc
- .hne
- .inc
- .igs
- .iges
- .jar
- .jad
- .java
- .jbs
- .jks
- .jpg
- .jpeg
- .jfif
- .jpe
- .js
- .jsp
- .hpp
- .htm
- .html
- .key
- .kwm
- .ldif
- .lst
- .lsp
- .lzh
- .lzw
- .ldr
- .man
- .mdb
- .mht
- .mmf
- .mns
- .mnb
- .mnu
- .mo
- .msb
- .msg
- .mxl
- .old
- .ova
- .ovf
- .p12
- .pak
- .pas
- .pem
- .pfx
- .php
- .php3
- .php4
- .pl
- .pptx
- .pptm
- .png
- .potx
- .potm
- .ppam
- .ppsx
- .ppsm
- .prf
- .pgp
- .prx
- .psd
- .pst
- .pw
- .pwa
- .pwl
- .pwm
- .pm3
- .pm4
- .pm5
- .pm6
- .rar
- .rmr
- .rtf
- .safe
- .sar
- .sig
- .sql
- .tar
- .tc
- .tbb
- .tbk
- .tdf
- .tgz
- .tib
- .txt
- .uue
- .vb
- .vcf
- .vdi
- .vmc
- .vmdk
- .vmx
- .vmtm
- .wab
- .xls
- .xlsx
- .xlsm
- .xltx
- .xltm
- .xlsb
- .xlam
- .xml
- .zip
Only folders which do not contain one of the following string in their path are searched:
- Program File
- %windir%
The trojan encrypts the file content.
The RSA, RC2 encryption algorithm is used.
The extension of the encrypted files is changed to:
- ._crypt
The trojan creates the following file:
- %currentfolder%\!_read_me_.txt
It contains the following text:
- Your files was blocked because of copyright violation, you can't access your files.
- Please visit %attackersurl% for more information and follow step by step instructions.
- === KEY ===
- %data%
- === END ===
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Other information
The trojan hooks the following Windows APIs:
- ZwConnectPort (ntdll.dll)
- ZwAlpcConnectPort (ntdll.dll)