Win32/Filecoder.Crysis [Threat Name] go to Threat
Win32/Filecoder.Crysis.B [Threat Variant Name]
| Category | trojan |
| Size | 178176 B |
| Aliases | Trojan-Ransom.Win32.PornoAsset.ctes (Kaspersky) |
| Ransom:Win32/Tescrypt.N (Microsoft) | |
| Trojan.Encoder.3953 (Dr.Web) |
Short description
Win32/Filecoder.Crysis.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %localappdata%\%originalmalwarefilename%.exe
- %windir%\system32\%originalmalwarefilename%.exe
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%originalmalwarefilename%" = "%installpath%\%originalmalwarefilename%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%originalmalwarefilename%" = "%installpath%\%originalmalwarefilename%.exe"
This causes the trojan to be executed on every system start.
Payload information
Win32/Filecoder.Crysis.B is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids those with any of the following strings in their names:
- c:\windows
- .xtbl
It avoids files with the following filenames:
- boot.ini
- explorer.exe
- svchost.exe
- %originalmalwarefilename%.exe
The trojan encrypts the file content.
An additional .ID%variable%.%email_address%.xtbl extension is appended.
A string with variable content is used instead of %variable% .
The RSA, AES encryption algorithm is used.
The following file is dropped:
- %userprofile%\Desktop\How to decrypt your files.txt
It contains the following text:
- DECRYPT FILES EMAIL %email_address1% or %email_address2%
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Information stealing
The trojan collects the following information:
- computer name
The trojan attempts to send gathered information to a remote machine.
The trojan contains a URL address. The HTTP protocol is used in the communication.
Other information
The trojan executes the following commands:
- mode con cp select=1251
- vssadmin delete shadows /all /quiet
- Exit
The trojan may create the following files:
- %userprofile%\Documents\DECRYPT.jpg
This file/image is set as a wallpaper.
Some examples follow.
