Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.EQ [Threat Variant Name]
Category | trojan |
Size | 624128 B |
Aliases | FileCryptor.BNV.trojan (AVG) |
Trojan.Encoder.567 (Dr.Web) | |
Trojan-Ransom.Win32.Cryakl.sw (Kaspersky) | |
Ransom:Win32/Simlosap.A (Microsoft) |
Short description
Win32/Filecoder.EQ is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed the trojan copies itself in the following locations:
- %temp%\%malwarefilename%
- %programfiles%\%malwarefilename%
This copy of the trojan is then executed.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "pr" = "%programfiles%\%malwarefilename%"
The trojan may create the text file:
- %programfiles%\%variable1%.%variable2%
A string with variable content is used instead of %variable1-2% .
Payload information
Win32/Filecoder.EQ is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- .1cd
- .3gp
- .7z
- .a3d
- .abf
- .accdb
- .arj
- .asm
- .avi
- .cdr
- .cdx
- .cer
- .cpt
- .csv
- .db3
- .dbf
- .doc
- .docx
- .fbf
- .fbk
- .fbw
- .fbx
- .fdb
- .gbk
- .gho
- .gzip
- .iv2i
- .jpeg
- .jpg
- .keystore
- .ldf
- .m2v
- .m3d
- .max
- .mdb
- .mkv
- .mov
- .mp3
- .mpeg
- .nbd
- .nrw
- .nx1
- .odb
- .odc
- .odp
- .ods
- .ods
- .odt
- .old
- .orf
- .p12
- .pef
- .png
- .ppt
- .pptm
- .psd
- .pst
- .ptx
- .pz3
- .qic
- .r3d
- .raf
- .rar
- .raw
- .rtf
- .rwl
- .rx2
- .sbs
- .sldasm
- .sldprt
- .sn1
- .sna
- .spf
- .sr2
- .srf
- .srw
- .tbl
- .tif
- .tis
- .txt
- .wps
- .wps
- .x3f
- .xls
- .xlsx
- .zip
The trojan encrypts the file content.
The RSA encryption algorithm is used.
The name of the encrypted file is changed to:
- %attackersemail%-CL 0.0.1.0.id-%victimID%.randomname-<%random30chars%>.<%random3chars%>.cbf
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The trojan drops one of the following files in the %programfiles% folder:
- desk.bmp (156286 B)
- desk1.bmp (156286 B)
The %programfiles% is one of the following strings:
- %systemdrive%\Program Files\
- %systemdrive%\Program Files (x86)\
The following files are dropped in the same folder:
- desk.jpg (156286 B)
- %variable3%.bat
A string with variable content is used instead of %attackersemail%, %victimID%, %random30chars%, %random3chars%, %variable3% .
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "Wallpaper" = "%programfiles%\desk.bmp"
- "Wallpaper" = "%programfiles%\desk1.bmp"
- "TileWallpaper" = "0"
The trojan then removes itself from the computer.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (5) URLs. The HTTP protocol is used in the communication.