Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.EQ [Threat Variant Name]

Category trojan
Size 624128 B
Aliases FileCryptor.BNV.trojan (AVG)
  Trojan.Encoder.567 (Dr.Web)
  Trojan-Ransom.Win32.Cryakl.sw (Kaspersky)
  Ransom:Win32/Simlosap.A (Microsoft)
Short description

Win32/Filecoder.EQ is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed the trojan copies itself in the following locations:

  • %temp%\­%malwarefilename%
  • %programfiles%\­%malwarefilename%

This copy of the trojan is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "pr" = "%programfiles%\­%malwarefilename%"

The trojan may create the text file:

  • %programfiles%\­%variable1%.%variable2%

A string with variable content is used instead of %variable1-2% .

Payload information

Win32/Filecoder.EQ is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .1cd
  • .3gp
  • .7z
  • .a3d
  • .abf
  • .accdb
  • .arj
  • .asm
  • .avi
  • .cdr
  • .cdx
  • .cer
  • .cpt
  • .csv
  • .db3
  • .dbf
  • .doc
  • .docx
  • .fbf
  • .fbk
  • .fbw
  • .fbx
  • .fdb
  • .gbk
  • .gho
  • .gzip
  • .iv2i
  • .jpeg
  • .jpg
  • .keystore
  • .ldf
  • .m2v
  • .m3d
  • .max
  • .mdb
  • .mkv
  • .mov
  • .mp3
  • .mpeg
  • .nbd
  • .nrw
  • .nx1
  • .odb
  • .odc
  • .odp
  • .ods
  • .ods
  • .odt
  • .old
  • .orf
  • .p12
  • .pdf
  • .pef
  • .png
  • .ppt
  • .pptm
  • .psd
  • .pst
  • .ptx
  • .pz3
  • .qic
  • .r3d
  • .raf
  • .rar
  • .raw
  • .rtf
  • .rwl
  • .rx2
  • .sbs
  • .sldasm
  • .sldprt
  • .sn1
  • .sna
  • .spf
  • .sr2
  • .srf
  • .srw
  • .tbl
  • .tif
  • .tis
  • .txt
  • .wps
  • .wps
  • .x3f
  • .xls
  • .xlsx
  • .zip

The trojan encrypts the file content.


The RSA encryption algorithm is used.


The name of the encrypted file is changed to:

  • %attackersemail%-CL 0.0.1.0.id-%victimID%.randomname-<%random30chars%>.<%random3chars%>.cbf

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan drops one of the following files in the %programfiles% folder:

  • desk.bmp (156286 B)
  • desk1.bmp (156286 B)

The %programfiles% is one of the following strings:

  • %systemdrive%\­Program Files\­
  • %systemdrive%\­Program Files (x86)\­

The following files are dropped in the same folder:

  • desk.jpg (156286 B)
  • %variable3%.bat

A string with variable content is used instead of %attackersemail%, %victimID%, %random30chars%, %random3chars%, %variable3% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%programfiles%\­desk.bmp"
    • "Wallpaper" = "%programfiles%\­desk1.bmp"
    • "TileWallpaper" = "0"

The trojan then removes itself from the computer.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.