Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.FS [Threat Variant Name]
Category | trojan |
Size | 152177 B |
Aliases | Trojan.Win32.Inject.aceot (Kaspersky) |
Trojan.MulDrop7.2412 (Dr.Web) | |
TR/FileCoder.sfupx (Avira) | |
Ransom:Win32/Teerac.Q (Microsoft) |
Short description
Win32/Filecoder.FS is a trojan that encrypts files on fixed, removable and network drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\trust.exe
The trojan may create the following files in the %temp% folder:
- ns%variable%.tmp\System.dll (11264 B)
- Samizdat.g (85421 B)
- solstice.dll (57344, Win32/Injector.DHWO)
A string with variable content is used instead of %variable% .
In order to be executed on system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "SG" = "%appdata%\trust.exe"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Globe]
- "idle" = "YES"
- "temp" = %variable%
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Read Me Please" = "mshta.exe\"%userprofile%\Read Me Please.hta\""
After the installation is complete, the trojan deletes the original executable file.
Payload information
Win32/Filecoder.FS is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files on the following drives:
- A:\- Z:\
The trojan also searches for executables in shared folders of remote machines.
Only folders which do not contain one of the following string in their path are searched:
- intel
- nvidia
- Windows
- AppData
- All Users
- Program Files
- Program Files (x86)
- System Volume Information
- Application Data
- $RECYCLE.BIN
It avoids files from the following directories:
- %windir%
- %appdata%
- %programdata%
- %programfiles%
- %allusersprofile%
The trojan searches for files with the following file extensions:
- 001
- 1cd
- 3d
- 3d4
- 3df8
- 3dm
- 3ds
- 3fr
- 3g2
- 3ga
- 3gp
- 3gp2
- 3mm
- 3pr
- 73i87a
- 7z
- 7zip
- 8ba
- 8bc
- 8be
- 8bf
- 8bi8
- 8bl
- 8bs
- 8bx
- 8by
- 8li
- @aol.com
- @india.com
- a2c
- a5zfn
- aa
- aa3
- aaa
- aac
- aaf
- ab4
- abc
- abk
- abw
- ac2
- ac3
- accdb
- accde
- accdr
- accdt
- ace
- ach
- acr
- act
- adb
- ade
- adi
- adp
- adpb
- adr
- ads
- adt
- aep
- aepx
- aes
- aet
- afp
- agd1
- agdl
- ai
- aif
- aiff
- aim
- aip
- ais
- ait
- ak
- al
- allet
- amf
- amr
- amu
- amx
- amxx
- ans
- aoi
- ap
- ape
- api
- apj
- apk
- apnx
- arc
- arch00
- ard
- ari
- arj
- aro
- arr
- arw
- as
- as3
- asa
- asc
- ascx
- ase
- asf
- ashx
- asm
- asmx
- asp
- aspx
- asr
- asset
- asx
- automaticdestinations-ms
- avi
- avs
- awg
- axx
- azf
- azs
- azw
- azw1
- azw3
- azw4
- b2a
- back
- backup
- backupdb
- bad
- bak
- bank
- bar
- bay
- bc6
- bc7
- bck
- bcp
- bdb
- bdp
- bdr
- bfa
- bgt
- bi8
- bib
- bic
- big
- bik
- bin
- bitstak
- bkf
- bkp
- bkup
- blend
- blob
- blp
- bmc
- bmf
- bml
- bmp
- boc
- bp2
- bp3
- bpk
- bpl
- bpw
- brd
- breaking_bad
- bsa
- bsk
- bsp
- btc
- btoa
- bvd
- c
- cag
- cam
- camproj
- cap
- car
- cas
- cat
- cbf
- cbr
- cbz
- cc
- ccc
- cccrrrppp
- ccd
- ccf
- cch
- cd
- cdf
- cdi
- cdr
- cdr3
- cdr4
- cdr5
- cdr6
- cdrw
- cdx
- ce1
- ce2
- cef
- cer
- cerber
- cerber2
- cerber3
- cert
- cfg
- cfp
- cfr
- cgf
- cgi
- cgm
- cgp
- chk
- chml
- cib
- class
- clr
- cls
- clx
- cmf
- cms
- cmt
- cnc
- cnf
- cng
- cod
- col
- con
- conf
- config
- contact
- coverton
- cp
- cpi
- cpio
- cpp
- cr2
- craw
- crd
- crinf
- crjoker
- crptrgr
- crt
- crw
- crwl
- cry
- cryp1
- crypt
- crypted
- cryptolocker
- cryptowall
- cryptra
- crypz
- cs
- csh
- csi
- csl
- cso
- csr
- css
- csv
- ctt
- cty
- cue
- cwf
- czvxce
- d3dbsp
- dac
- dal
- dap
- darkness
- das
- dash
- dat
- database
- dayzprofile
- dazip
- db
- db-journal
- db0
- db3
- db_journal
- dba
- dbb
- dbf
- dbfv
- dbx
- dc2
- dc4
- dch
- dco
- dcp
- dcr
- dcs
- dcu
- ddc
- ddcx
- ddd
- ddoc
- ddrw
- dds
- default
- dem
- der
- des
- desc
- design
- desklink
- dev
- dex
- dfm
- dgc
- dic
- dif
- dii
- dim
- dime
- dip
- dir
- directory
- disc
- disk
- dit
- divx
- diz
- djv
- djvu
- dlc
- dmg
- dmp
- dng
- dob
- doc
- docb
- docm
- docx
- dot
- dotm
- dotx
- dox
- dpk
- dpl
- dpr
- drf
- drw
- dsk
- dsp
- dtd
- dvd
- dvi
- dvx
- dwg
- dxb
- dxe
- dxf
- dxg
- e4a
- ecc
- edb
- efl
- efr
- efu
- efx
- eip
- elf
- emc
- emf
- eml
- enc
- enciphered
- encrypt
- encrypted
- enigma
- enx
- epk
- eps
- epub
- eql
- erbsql
- erf
- err
- esf
- esm
- euc
- evo
- ex
- exf
- exif
- exx
- ezz
- f90
- fantom
- faq
- fcd
- fdb
- fdr
- fds
- ff
- ffd
- fff
- fh
- fhd
- fla
- flac
- flf
- flp
- flv
- flvv
- for
- forge
- fos
- fpenc
- fpk
- fpp
- fpx
- frm
- fsh
- fss
- fun
- fxg
- gam
- gdb
- gfe
- gfx
- gho
- gif
- good
- gpg
- gray
- grey
- grf
- groups
- gry
- gthr
- gxk
- gz
- gzig
- gzip
- h
- h3m
- h4r
- ha3
- hbk
- hbx
- hdd
- herbst
- hex
- hkdb
- hkx
- hplg
- hpp
- hqx
- htm
- html
- htpasswd
- hvpl
- hwp
- ibank
- ibd
- ibz
- ico
- icxs
- idl
- idml
- idx
- ie5
- ie6
- ie7
- ie8
- ie9
- iff
- iif
- iiq
- img
- incpas
- indb
- indd
- indl
- indt
- info
- ink
- inx
- ipa
- iso
- isu
- isz
- itdb
- itl
- itm
- iwd
- iwi
- jac
- jar
- jav
- java
- jbc
- jc
- jfif
- jge
- jgz
- jif
- jiff
- jnt
- jpc
- jpe
- jpeg
- jpf
- jpg
- jpw
- js
- json
- jsp
- just
- k25
- kc2
- kdb
- kdbx
- kdc
- kde
- kernel_complete
- kernel_pid
- kernel_time
- key
- keybtc@inbox_com
- kf
- kimcilware
- kkk
- klq
- kmz
- kpdx
- kraken
- kratos
- kwd
- kwm
- laccdb
- lastlogin
- lay
- lay6
- layout
- lbf
- lbi
- lcd
- lcf
- lcn
- ldb
- ldf
- lechiffre
- legion
- lgp
- lib
- lit
- litemod
- lngttarch2
- localstorage
- locked
- locky
- log
- lol!
- lp2
- lpa
- lrf
- ltm
- ltr
- ltx
- lua
- lvivt
- lvl
- m
- m2
- m2ts
- m3u
- m3u8
- m4a
- m4p
- m4u
- m4v
- mag
- magic
- man
- map
- mapimail
- max
- mbox
- mbx
- mcd
- mcgame
- mcmeta
- mcrp
- md
- md0
- md1
- md2
- md3
- md5
- mdb
- mdbackup
- mdc
- mddata
- mdf
- mdl
- mdn
- mds
- mef
- menu
- meo
- mfw
- mic
- micro
- mid
- mim
- mime
- mip
- mjd
- mkv
- mlb
- mlx
- mm6
- mm7
- mm8
- mme
- mml
- mmw
- mny
- mobi
- mod
- moneywell
- mos
- mov
- movie
- moz
- mp1
- mp2
- mp3
- mp4
- mp4v
- mpa
- mpe
- mpeg
- mpg
- mpq
- mpqge
- mpv2
- mrw
- mrwref
- mse
- msg
- msi
- msp
- mts
- mui
- mxp
- myd
- myi
- nav
- ncd
- ncf
- nd
- ndd
- ndf
- nds
- nef
- nfo
- nk2
- nop
- now
- nrg
- nri
- nrw
- ns2
- ns3
- ns4
- nsd
- nsf
- nsg
- nsh
- ntl
- number
- nvram
- nwb
- nx1
- nx2
- nxl
- nyf
- oab
- obj
- odb
- odc
- odcodc
- odf
- odg
- odi
- odm
- odp
- ods
- odt
- oft
- oga
- ogg
- oil
- opd
- opf
- orf
- ost
- otg
- oth
- otp
- ots
- ott
- owl
- oxt
- p12
- p5tkjw
- p7b
- p7c
- pab
- pack
- padcrypt
- pages
- pak
- paq
- pas
- pat
- paym
- paymrss
- payms
- paymst
- paymts
- payrms
- pays
- pbf
- pbk
- pbp
- pbs
- pcd
- pct
- pcv
- pdb
- pdc
- pdcr
- pdd
- pef
- pem
- pfx
- php
- pkb
- pkey
- pkh
- pkpass
- pl
- plb
- plc
- pli
- plus_muhd
- pm
- pmd
- png
- po
- poar2w
- pot
- potm
- potx
- ppam
- ppd
- ppf
- ppj
- pps
- ppsm
- ppsx
- ppt
- pptm
- pptx
- prc
- prel
- prf
- props
- prproj
- prt
- ps
- psa
- psafe3
- psd
- psk
- pspimage
- pst
- psw6
- ptx
- pub
- purge
- puz
- pwf
- pwi
- pwm
- pxp
- py
- pzdc
- qba
- qbb
- qbm
- qbr
- qbw
- qbx
- qby
- qcow
- qcow2
- qdf
- qed
- qel
- qic
- qif
- qpx
- qt
- qtq
- qtr
- r00
- r01
- r02
- r03
- r3d
- r5a
- ra
- ra2
- raf
- ram
- rar
- rat
- raw
- razy
- rb
- rdb
- rdi
- rdm
- re4
- rekt
- res
- result
- rev
- rgn
- rgss3a
- rim
- rll
- rm
- rng
- rofl
- rokku
- rpf
- rrk
- rrt
- rsdf
- rsrc
- rsw
- rte
- rtf
- rts
- rtx
- rum
- run
- rv
- rvt
- rw2
- rwl
- rwz
- rzk
- rzx
- s3db
- sad
- saf
- safe
- sas7bdat
- sav
- save
- say
- sb
- sc2save
- sch
- scm
- scn
- scx
- sd0
- sd1
- sda
- sdb
- sdc
- sdf
- sdn
- sdo
- sds
- sdt
- search-ms
- securecrypted
- sef
- sen
- ses
- sfs
- sfx
- sgz
- sh
- shar
- shr
- shw
- shy
- sid
- sidd
- sidn
- sie
- sis
- sldm
- sldx
- slk
- slm
- slt
- sme
- snk
- snp
- snx
- so
- spd
- spr
- sql
- sqlite
- sqlite3
- sqlitedb
- sqllite
- sqx
- sr2
- srf
- srt
- srw
- ssa
- st4
- st5
- st6
- st7
- st8
- stc
- std
- sti
- stm
- stt
- stw
- stx
- sud
- suf
- sum
- surprise
- svg
- svi
- svr
- swd
- swf
- switch
- sxc
- sxd
- sxg
- sxi
- sxm
- sxw
- syncdb
- szf
- t01
- t03
- t05
- t12
- t13
- tar
- tax
- tax2013
- tax2014
- tbk
- tbz2
- tch
- tcx
- tex
- text
- tg
- tga
- tgz
- thm
- thmx
- tif
- tiff
- tlg
- tlz
- toast
- tor
- torrent
- tpu
- tpx
- trp
- ts
- ttt
- tu
- tur
- txd
- txf
- txt
- uax
- udf
- uea
- umx
- unity3d
- unr
- unx
- uop
- uot
- upk
- upoi
- url
- usa
- usx
- ut2
- ut3
- utc
- utx
- uu
- uud
- uue
- uvx
- uxx
- val
- vault
- vbox
- vbs
- vc
- vcd
- vcf
- vdf
- vdi
- vdo
- venusf
- ver
- vfs0
- vhd
- vhdx
- vlc
- vlt
- vmdk
- vmf
- vmsd
- vmt
- vmx
- vmxf
- vob
- vp
- vpk
- vpp_pc
- vsi
- vtf
- vvv
- w3g
- w3x
- wab
- wad
- wallet
- war
- wav
- wave
- waw
- wb2
- wbk
- wdgt
- wflx
- windows10
- wks
- wm
- wma
- wmd
- wmdb
- wmmp
- wmo
- wmv
- wmx
- wotreplay
- wow
- wpd
- wpe
- wpk
- wpl
- wps
- wsh
- wtd
- wtf
- wvx
- x11
- x3f
- xf
- xis
- xl
- xla
- xlam
- xlc
- xlk
- xll
- xlm
- xlr
- xls
- xlsb
- xlsm
- xlsx
- xlt
- xltm
- xltx
- xlv
- xlw
- xlwx
- xml
- xpi
- xps
- xpt
- xqx
- xsl
- xtbl
- xvid
- xwd
- xxe
- xxx
- xyz
- yab
- ycbcra
- yenc
- yml
- ync
- yps
- yuv
- z02
- z04
- zap
- zcrypt
- zepto
- zip
- zipx
- zoo
- zps
- ztmp
- zyklon
- zzz
When searching the drives, the trojan creates the following file in every folder visited:
- Read Me Please.hta
The trojan encrypts the file content.
The trojan overwrites the first 65536 B of data.
The RC4 encryption algorithm is used.
The name of the encrypted file is changed to:
- %randomstring%.decryptallfiles@india.com
%randomstring% represents a random text.
To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
The trojan may display the following messages: