Win32/Filecoder.Crysis [Threat Name] go to Threat

Win32/Filecoder.Crysis.B [Threat Variant Name]

Category trojan
Size 178176 B
Detection created Feb 19, 2016
Detection database version 13057
Aliases Trojan-Ransom.Win32.PornoAsset.ctes (Kaspersky)
  Ransom:Win32/Tescrypt.N (Microsoft)
  Trojan.Encoder.3953 (Dr.Web)
Short description

Win32/Filecoder.Crysis.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

This causes the trojan to be executed on every system start.

Payload information

Win32/Filecoder.Crysis.B is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids those with any of the following strings in their names:

  • c:\­windows
  • .xtbl

It avoids files with the following filenames:

  • boot.ini
  • explorer.exe
  • svchost.exe
  • %originalmalwarefilename%.exe

The trojan encrypts the file content.


An additional .ID%variable%.%email_address%.xtbl extension is appended.


A string with variable content is used instead of %variable% .


The RSA, AES encryption algorithm is used.


The following file is dropped:

  • %userprofile%\­Desktop\­How to decrypt your files.txt

It contains the following text:

  • DECRYPT FILES EMAIL %email_address1% or %email_address2%

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Information stealing

The trojan collects the following information:

  • computer name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan executes the following commands:

  • mode con cp select=1251
  • vssadmin delete shadows /all /quiet
  • Exit

The trojan may create the following files:

  • %userprofile%\­Documents\­DECRYPT.jpg

This file/image is set as a wallpaper.


Some examples follow.

Please enable Javascript to ensure correct displaying of this content and refresh this page.