Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.NCN [Threat Variant Name]
| Category | trojan |
| Size | 55365 B |
| Aliases | Trojan:.Win32/Fico.A (Microsoft) |
| FileCryptor.OP.trojan (AVG) |
Short description
Win32/Filecoder.NCN is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan creates the following folder:
- %drive%\wiNtmp\
The %drive% is one of the following strings:
- C:
- D:
The following files are dropped in the same folder:
- openAirx.exe (3584 B)
- winserv.exe (104448 B, Win32/Filecoder.NCN)
The files are then executed.
The trojan creates the following files:
- %currentfolder%\bmrsa.exe (77824 B)
- %currentfolder%\mecrypalgoritm.exe (14848 B, Win32/Filecoder.NCN)
The trojan may display the following message:
Payload information
Win32/Filecoder.NCN is a trojan that encrypts files on local drives.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The trojan searches local drives for files with the following file extensions:
- .jpg
- .JPG
- *jpeg
- *JPEG
- .doc
- .mrw
- .DOC
- *docx
- *DOCX
- .txt
- .TXT
- .tif
- .TIF
- .dbf
- .DBF
- .arw
- .eps
- .EPS
- .psd
- .PSD
- .CDR
- .cdr
- .mbd
- .MBD
- .dxb
- .xml
- .XML
- .xls
- .XLS
- .dwg
- .DWG
- .mdf
- .MDF
- .mdb
- .MDB
- .zip
- .ZIP
- .rar
- .RAR
- .cdx
- .CDX
- .wps
- .WPS
- .rtf
- .RTF
- .1CD
- .1cd
- .4db
- .4dd
- .adp
- .ADP
- .grs
- .wdb
- .pdm
- .MDP
- .ppt
- .PPT
- .crw
- .CRW
- .dxg
- .DXG
- .ptx
- .PTX
- .odp
- .ODP
- .PEK
- .pek
- .sps
- .SPS
- .pst
- .PST
- .raf
- .pdd
- .mdf
- .srw
- .cer
- .CER
- .dcr
- .crt
The trojan encrypts the file content.
The extension of the encrypted files is changed to:
- .CoDe
The RSA, ARIA encryption algorithm is used.
The trojan creates the following file:
- %currentfolder%\_%username%_Фaйлы зaшифpoваны.TxT
It contains the following text:
- Фaйлы зaшифpoваны
- Стоимость paсшифpoвки 10.000 рублей
- 1) Отправьте на почту u%removed%g файл, который Вы сейчас читаете (файл Файлы зaшифpoваны.txt)
- 2) Отправьте 1 зaшифpoваный файл небольшого размера (файл с расширением CoDe).
- ВЫ ДОЛЖНЫ ПРИСЛАТЬ 2 ФАЙЛА: Файлы зaшифpoваны.txt, зaшифpoваный файл.
- В ответ придет оригинальный файл и инструкция для оплаты.
- Ответ на Ваше письмо придет в течение 1-36 часов.
- Если ответ не приходит более 36 часов - отпишите на резервную почту g%removed%m
- ---
- 1%removed%E
- ---
- 2%removed%F
Other information
The trojan creates the following files:
- %drive%\wiNtmp\pass_a
- %drive%\wiNtmp\pass_2
- %drive%\wiNtmp\passA
- %drive%\wiNtmp\passB
- %drive%\wiNtmp\MyKeys_A
- %drive%\wiNtmp\MyKeys_B
- %drive%\wiNtmp\za.bat
The following files are deleted:
- %drive%\wiNtmp\bmrsa.exe
- %drive%\wiNtmp\pass_a
- %drive%\wiNtmp\pass_2
- %drive%\wiNtmp\MyKeys_A
- %drive%\wiNtmp\MyKeys_B
- %drive%\wiNtmp\za.bat