Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.G [Threat Variant Name]

Category trojan,worm
Size 90112 B
Aliases Trojan.Win32.VB.dsm (Kaspersky)
  Trojan:Win32/Vorus.BH (Microsoft)
  Generic.dx!mvl (McAfee)
Short description

Win32/Filecoder.G is a trojan that overwrites the content of certain files with its own data. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.

Installation

When executed the trojan copies itself in the following locations:

  • C:\­Documents and Settings\­All Users\­Start Menu\­Programs\­Startup\­File1.exe
  • C:\­Documents and Settings\­%username%\­Start Menu\­Programs\­Startup\­File1.exe
  • C:\­Documents and Settings\­%username%.%computername%\­Start Menu\­Programs\­Startup\­File1.exe

This causes the trojan to be executed on every system start.

Payload information

Win32/Filecoder.G is a trojan that overwrites the content of certain files with its own data.


The trojan searches local drives for files with the following file extensions:

  • .doc
  • .mdb
  • .pdf
  • .ppt
  • .txt
  • .xls

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file name and extension of the newly created file is derived from the original one.


The following string is prepended:

  • "Hid_"

.


The following text is written to found file:

Sorry I am really sorry.  I don't want to do it again. This is my first and may be the last if you agree to help me. Do you want to get your files back? That is so easy just do this. I want you to write a mail to Zlovel_4evr@yahoo.com stating how much I loved her. You know… I gave her everything I had, my heart my phase…. all what I can and had but she gave me nothing except pain. Now she leaves me alone and I am felling now empty inside. I can't to live without her. That is why I burnt your files. I know may be this file is vital for you as your mail is for me. Be sure I will give your files back with out any damage. Be sure and trust me. Take a minute from your busy time and write a nice message to her. Then you will get all  your files as befor. Thank you for your cooperation. And I hope you will give me a pardon for my miss use of knowledge. I did it because I left with no other option.
Other information

The trojan copies itself into the root folders of removable drives using the following name:

  • File1.exe (90112 B)

The trojan creates the following files:

  • C:\­WINDOWS\­chk.txt
  • C:\­WINDOWS\­listOfExcells.txt
  • %drive%\­chk.txt

Please enable Javascript to ensure correct displaying of this content and refresh this page.