Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.NAU [Threat Variant Name]

Category trojan
Size 343040 B
Aliases Ransomer.CBW.trojan (AVG)
  TR/Rogue.1138889 (Avira)
Short description

Win32/Filecoder.NAU is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.

Information stealing

The trojan collects the following information:

  • volume serial number
  • passwords

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Payload information

Win32/Filecoder.NAU is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .doc
  • .DBF
  • .docx
  • .rar
  • .zip
  • .xls
  • .xlsx
  • .db
  • .bak
  • .rtf
  • .pdf
  • .mdb
  • .b2
  • .mdf
  • .accdb
  • .eap
  • .swf
  • .svg
  • .odt
  • .ppt
  • .pptx
  • .xps
  • .xls
  • .cvs
  • .dmg
  • .dwg
  • .md
  • .elf
  • .1CD
  • .dbf
  • .jpg
  • .jpeg
  • .bmp
  • .psd
  • .rtf
  • .MD
  • .dt
  • .cf
  • .max
  • .dxf
  • .dwg
  • .dds
  • .3ds
  • .ai
  • .cdr
  • .svg
  • .txt
  • .csv
  • .7z
  • .tar
  • .gz
  • .bakup
  • .mp3
  • .wav
  • .djvu

The trojan encrypts the file content.


The RC4, DES encryption algorithm is used.


The extension of the encrypted files is changed to:

  • .decryptyoufiles@yahoo.com_enc

The trojan creates the following files:

  • C:\­KAK_PACШИФPOBATЬ_ФAЙЛЫ.txt
  • %desktop%\­KAK_PACШИФPOBATЬ_ФAЙЛЫ.txt

It contains the following text:

  • Все ваши файлы *.doc,*.xls,*.pdf, базы данных и т.д. зашифрованы.
  • Стоимость дешифратора 5000 рублей. Чтобы купить дешифратор свяжитесь с нами по email:
  • %attackeremail%
  • В теме укажите ваш ID.
  • Если вы хотите удостовериться в том, что мы можем расшифровать ваши файлы, можете приложить любой файл и мы его расшифруем (базы данных для теста не расшифровываем!)----
  • ID: %data%
  • ----
  • Письма с угрозами и т.п. будут проигнорированы.

A string with variable content is used instead of %data% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.