Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.FV [Threat Variant Name]
| Category | trojan |
| Size | 311296 B |
| Aliases | Trojan-Ransom.Win32.Blocker.kfgf (Kaspersky) |
| Trojan.Encoder.11539 (Dr.Web) | |
| Ransom:Win32/Ergop.A (Microsoft) | |
| Ransom.CryptXXX (Symantec) |
Short description
Win32/Filecoder.FV is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
When executed, the trojan copies itself into the following location:
- %allusersprofile%\%malwarefilename%
In order to be executed on system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "CertificatesCheck" = "%malwarefilepath%"
Payload information
Win32/Filecoder.FV is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files from the following directories:
- Avast
- AVG
- Avira
- Chrome
- Common Files
- COMODO
- Dr.Web
- ESET
- Internet Explorer
- Kaspersky Lab
- McAfee
- Microsoft
- Microsoft Help
- Microsoft Shared
- Microsoft.NET
- Movie Maker
- Mozilla Firefox
- ntldr
- NVIDIA Corporation
- Opera
- Outlook Express
- ProgramData
- spytech software
- Symantec
- Symantec_Client_Security
- sysconfig
- system volume information
- Temp
- Windows
- Windows App Certification Kit
- Windows Defender
- Windows Kits
- Windows Mail
- Windows Media Player
- Windows Multimedia Platform
- Windows NT
- Windows Phone Kits
- Windows Phone Silverlight Kits
- Windows Photo Viewer
- Windows Portable Devices
- Windows Sidebar
- WindowsPowerShell
- Wsus
- YandexBrowser
The trojan encrypts the file content.
The extension of the encrypted files is changed to:
- %filepath%.crypt
The RSA, DES encryption algorithm is used.
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
When searching the drives, the trojan creates the following file in every folder visited:
- how_to_back_files.html
It contains the following text:
Other information
The trojan creates the following files:
- %temp%\__t%variable%.tmp.bat
A string with variable content is used instead of %variable% .
It contains the following text:
- @echo off
- vssadmin.exe Delete Shadows /All /Quiet
- reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
- reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
- cd %userprofile%\documents\
- attrib Default.rdp -s -h
- del Default.rdp
- for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
The file is then executed.
The trojan terminates processes with any of the following strings in the name:
- sql
- outlook
- ssms
- postgre
- 1c
- excel
- word