Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.DG [Threat Variant Name]

Category trojan
Size 1110017 B
Aliases Trojan.Agent.BHRT (BitDefender)
Short description

Win32/Filecoder.DG is a trojan that encrypts files on fixed, removable and network drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %startup%\­%malwarefilename%
Payload information

Win32/Filecoder.DG is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .1cd
  • .3gp
  • .7z
  • .arj
  • .avi
  • .cdr
  • .cer
  • .cpt
  • .csv
  • .db3
  • .dbf
  • .doc
  • .docx
  • .dt
  • .dwg
  • .gzip
  • .jpeg
  • .jpg
  • .key
  • .m2v
  • .mdb
  • .mdb
  • .mkv
  • .mov
  • .mpeg
  • .ods
  • .odt
  • .pdf
  • .ppsx
  • .ppt
  • .pptx
  • .pwm
  • .rar
  • .raw
  • .rtf
  • .tib
  • .txt
  • .wab
  • .xls
  • .xlsx
  • .zip

Only folders which do not contain one of the following string in their path are searched:

  • program files
  • program files (x86)
  • programdata
  • system volume information
  • temp
  • windows

The trojan encrypts the file content.


The extension of the encrypted files is changed to:

  • .id-%variable%_xsmail@india.com

The variable %variable% represents a variable 10 digit number.


The AES encryption algorithm is used. The password is stored on the attacker's server.


To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.


The following files are dropped:

  • %appdata%\­xsmail.bmp (310582 B)
  • %startup%\­xsmail.bmp (310582 B)
  • %currentfolder%\­cleen.bat

When files encryption is finished, the trojan removes itself from the computer.

Information stealing

The trojan collects the following information:

  • computer name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

Other information

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "TileWallpaper" = "0"
    • "Wallpaper" = "%appdata%\­xsmail.bmp"

The trojan displays the following picture:

Please enable Javascript to ensure correct displaying of this content and refresh this page.