Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.NBR [Threat Variant Name]
Category | trojan |
Size | 531351 B |
Aliases | Trojan-Ransom.Win32.CryFile.vji (Kaspersky) |
Ransom:Win32/Genasom (Microsoft) |
Short description
Win32/Filecoder.NBR is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan creates the following files:
- C:\tempik\gene.exe (3072 B, Win32/Filecoder.NBR)
- C:\tempik\hilo.exe (2560 B)
- C:\tempik\moar.exe (13824 B, Win32/Filecoder.NBR)
- C:\tempik\pgp.exe (246784 B)
- C:\tempik\pubring.pgp (310 B)
- C:\tempik\pusk.bat (535 B, BAT/Filecoder.AP)
- C:\tempik\randseed.bin (408 B)
- C:\tempik\Rar.exe (488024 B)
- C:\tempik\zep.exe (2560 B)
The files are then executed.
The trojan may create the following files:
- C:\tempik\apr
- C:\tempik\pa
- C:\tempik\pa.asc
The trojan may delete the following files:
- C:\tempik\pa
The trojan displays the following dialog box:
Payload information
Win32/Filecoder.NBR is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- .1cd
- .4db
- .4dd
- .adp
- .arw
- .cdr
- .cdx
- .cer
- .crt
- .crw
- .dbf
- .dcr
- .doc
- .docx
- .dwg
- .dxb
- .dxg
- .eps
- .grs
- .jpeg
- .jpg
- .mdb
- .mdf
- .mdf
- .MDP
- .mrw
- .odp
- .pdd
- .pdm
- .pek
- .ppt
- .psd
- .pst
- .ptx
- .raf
- .rar
- .rtf
- .sps
- .srw
- .tif
- .txt
- .wdb
- .wps
- .xls
- .xml
- .zip
The trojan encrypts the file content.
The trojan executes the following command:
- rar.exe a -e -p%password% -dw %file%.Rar %file%
An additional ".Rar" extension is appended.
The following file is dropped:
- %currentfolder%\!!Закодиpован_%username%
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.