Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.DG [Threat Variant Name]
Category | trojan |
Size | 1110017 B |
Aliases | Trojan.Agent.BHRT (BitDefender) |
Short description
Win32/Filecoder.DG is a trojan that encrypts files on fixed, removable and network drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %startup%\%malwarefilename%
Payload information
Win32/Filecoder.DG is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- .1cd
- .3gp
- .7z
- .arj
- .avi
- .cdr
- .cer
- .cpt
- .csv
- .db3
- .dbf
- .doc
- .docx
- .dt
- .dwg
- .gzip
- .jpeg
- .jpg
- .key
- .m2v
- .mdb
- .mdb
- .mkv
- .mov
- .mpeg
- .ods
- .odt
- .ppsx
- .ppt
- .pptx
- .pwm
- .rar
- .raw
- .rtf
- .tib
- .txt
- .wab
- .xls
- .xlsx
- .zip
Only folders which do not contain one of the following string in their path are searched:
- program files
- program files (x86)
- programdata
- system volume information
- temp
- windows
The trojan encrypts the file content.
The extension of the encrypted files is changed to:
- .id-%variable%_xsmail@india.com
The variable %variable% represents a variable 10 digit number.
The AES encryption algorithm is used. The password is stored on the attacker's server.
To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
The following files are dropped:
- %appdata%\xsmail.bmp (310582 B)
- %startup%\xsmail.bmp (310582 B)
- %currentfolder%\cleen.bat
When files encryption is finished, the trojan removes itself from the computer.
Information stealing
The trojan collects the following information:
- computer name
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.
Other information
The following Registry entries are set:
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "TileWallpaper" = "0"
- "Wallpaper" = "%appdata%\xsmail.bmp"
The trojan displays the following picture: