Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.ED [Threat Variant Name]
| Category | trojan |
| Size | 882176 B |
| Aliases | Backdoor.Win32.Androm.gcuz (Kaspersky) |
Short description
Win32/Filecoder.ED is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %commonappdata%\Windows\csrss.exe
- %appdata%\Windows\csrss.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Client Server Runtime Subsystem" = "%malwarefolder%\csrss.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Client Server Runtime Subsystem" = "%malwarefolder%\csrss.exe"
In order to be executed on every system start, the trojan creates the following file:
- %startup%\csrss.lnk
Payload information
Win32/Filecoder.ED is a trojan that encrypts files on local drives.
The trojan searches local drives for files with the following file extensions:
- .3ds
- .3fr
- .3g2
- .3gp
- .7z
- .accda
- .accdb
- .accdc
- .accde
- .accdt
- .accdw
- .adb
- .adp
- .ai
- .ai3
- .ai4
- .ai5
- .ai6
- .ai7
- .ai8
- .anim
- .arw
- .as
- .asa
- .asc
- .ascx
- .asm
- .asmx
- .asp
- .aspx
- .asr
- .asx
- .avi
- .avs
- .backup
- .bak
- .bay
- .bd
- .bin
- .bmp
- .bz2
- .c
- .cdr
- .cer
- .cfc
- .cfm
- .cfml
- .chm
- .cin
- .class
- .config
- .cpp
- .cr2
- .crt
- .crw
- .cs
- .css
- .csv
- .cub
- .dae
- .dat
- .dbf
- .dc3
- .dcm
- .dcr
- .der
- .dib
- .dic
- .dif
- .divx
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotm
- .dotx
- .dpx
- .dqy
- .dsn
- .dtd
- .dwg
- .dwt
- .dx
- .dxf
- .edml
- .emf
- .emz
- .eps
- .epsf
- .epsp
- .erf
- .exr
- .f4v
- .fido
- .flm
- .flv
- .frm
- .fxg
- .gif
- .gz
- .h
- .hdr
- .hpp
- .hta
- .htc
- .htm
- .html
- .icb
- .ics
- .iff
- .inc
- .indd
- .ini
- .iqy
- .j2c
- .j2k
- .java
- .jp2
- .jpc
- .jpe
- .jpeg
- .jpf
- .jpg
- .jpx
- .js
- .jsf
- .json
- .jsp
- .kdc
- .kmz
- .lasso
- .lbi
- .m1v
- .m4a
- .m4v
- .max
- .mda
- .mdb
- .mde
- .mdf
- .mdw
- .mef
- .mfw
- .mht
- .mhtml
- .mka
- .mkidx
- .mkv
- .mos
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .mpv
- .mrw
- .msg
- .myd
- .myi
- .nef
- .nrw
- .obj
- .odb
- .odm
- .odp
- .ods
- .oft
- .one
- .onepkg
- .onetoc2
- .opt
- .oqy
- .orf
- .p12,
- .p7b
- .p7c
- .pam
- .pbm
- .pct
- .pcx
- .pdd
- .pdd
- .pdp
- .pef
- .pem
- .pfm
- .pfx
- .pgm
- .php
- .php3
- .php4
- .php5
- .phtml
- .pict
- .pl
- .pls
- .pm
- .png
- .pnm
- .pot
- .potm
- .potx
- .ppa
- .ppam
- .ppm
- .pps
- .ppsm
- .ppt
- .pptm
- .pptx
- .prn
- .ps
- .psb
- .psd
- .pst
- .ptx
- .pub
- .pxr
- .py
- .qt
- .r3d
- .raf
- .rar
- .raw
- .rdf
- .rgbe
- .rle
- .rqy
- .rss
- .rtf
- .rw2
- .rwl
- .sct
- .sdpx
- .shtm
- .shtml
- .slk
- .sln
- .sql
- .sr2
- .srf
- .srw
- .ssi
- .stm
- .svg
- .svgz
- .swf
- .tab
- .tar
- .tdi
- .tga
- .thmx
- .tif
- .tiff
- .tld
- .torrent
- .tpl
- .txt
- .u3d
- .udl
- .uxdc
- .vb
- .vbs
- .vcs
- .vda
- .vdr
- .vdw
- .vdx
- .vsd
- .vss
- .vst
- .vsw
- .vsx
- .vtm
- .vtml
- .vtx
- .wav
- .wb2
- .wbm
- .wbmp
- .wim
- .wmf
- .wml
- .wmv
- .wpd
- .wps
- .x3f
- .xl
- .xla
- .xlam
- .xlk
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xml
- .xps
- .xsd
- .xsf
- .xsl
- .xslt
- .xsn
- .xtp
- .xtp2
- .xyze
- .xz
- .zip
The trojan encrypts the file content.
The AES, RSA encryption algorithm is used.
The password is stored on the attacker's server.
The extension of the encrypted files is changed to:
- .xtbl
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The following file is dropped:
- %appdata%\%variable%.bmp (2359350 B)
This file/image is set as a wallpaper.
The following files are dropped:
- %rootfolder%\README%number%.txt (903 B)
- %desktop%\README%number%.txt (903 B)
A variable numerical value is used instead of %number% .
The written data contains the following string:
- Ваши файлы были зашифрованы.
- Чтобы расшифровать их, Вам необходимо отправить код:
- %variable%
- на электронный адрес desh%removed%01@gmail.com или desh%removed%@india.com .
- Далее вы получите все необходимые инструкции.
- Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.
- All the important files on your computer were encrypted.
- To decrypt the files you should send the following code:
- %variable%
- to e-mail address desh%removed%01@gmail.com or desh%removed%@india.com .
- Then you will receive all necessary instructions.
- All the attempts of decryption by yourself will result only in irrevocable loss of your data.
A string with variable content is used instead of %variable% .
Other information
The trojan contains a list of (4) URL addresses.
It can send various information about the infected computer to an attacker.
The TOR protocol is used in the communication.
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration]
- "i" = "%variable%"
- "Version" = "%variable%"
- "mode" = "%variable%"
- "pk" = "%variable%"
- "state" = "%variable%"
- "cnt" = "%variable%"
- "wp" = "%variable%"
A string with variable content is used instead of %variable% .