Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.NCN [Threat Variant Name]

Category trojan
Size 55365 B
Detection created Oct 29, 2014
Detection database version 10639
Aliases Trojan:.Win32/Fico.A (Microsoft)
  FileCryptor.OP.trojan (AVG)
Short description

Win32/Filecoder.NCN is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan creates the following folder:

  • %drive%\­wiNtmp\­

The %drive% is one of the following strings:

  • C:
  • D:

The following files are dropped in the same folder:

  • openAirx.exe (3584 B)
  • winserv.exe (104448 B, Win32/Filecoder.NCN)

The files are then executed.


The trojan creates the following files:

  • %currentfolder%\­bmrsa.exe (77824 B)
  • %currentfolder%\­mecrypalgoritm.exe (14848 B, Win32/Filecoder.NCN)

The trojan may display the following message:

Payload information

Win32/Filecoder.NCN is a trojan that encrypts files on local drives.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan searches local drives for files with the following file extensions:

  • .jpg
  • .JPG
  • *jpeg
  • *JPEG
  • .doc
  • .mrw
  • .DOC
  • *docx
  • *DOCX
  • .txt
  • .TXT
  • .pdf
  • .PDF
  • .tif
  • .TIF
  • .dbf
  • .DBF
  • .arw
  • .eps
  • .EPS
  • .psd
  • .PSD
  • .CDR
  • .cdr
  • .mbd
  • .MBD
  • .dxb
  • .xml
  • .XML
  • .xls
  • .XLS
  • .dwg
  • .DWG
  • .mdf
  • .MDF
  • .mdb
  • .MDB
  • .zip
  • .ZIP
  • .rar
  • .RAR
  • .cdx
  • .CDX
  • .wps
  • .WPS
  • .rtf
  • .RTF
  • .1CD
  • .1cd
  • .4db
  • .4dd
  • .adp
  • .ADP
  • .grs
  • .wdb
  • .pdm
  • .MDP
  • .ppt
  • .PPT
  • .crw
  • .CRW
  • .dxg
  • .DXG
  • .ptx
  • .PTX
  • .odp
  • .ODP
  • .PEK
  • .pek
  • .sps
  • .SPS
  • .pst
  • .PST
  • .raf
  • .pdd
  • .mdf
  • .srw
  • .cer
  • .CER
  • .dcr
  • .crt

The trojan encrypts the file content.


The extension of the encrypted files is changed to:

  • .CoDe

The RSA, ARIA encryption algorithm is used.


The trojan creates the following file:

  • %currentfolder%\­_%username%_Фaйлы зaшифpoваны.TxT

It contains the following text:

  • Фaйлы зaшифpoваны
  • Стоимость paсшифpoвки 10.000 рублей
  • 1) Отправьте на почту u%removed%g файл, который Вы сейчас читаете (файл Файлы зaшифpoваны.txt)
  • 2) Отправьте 1 зaшифpoваный файл небольшого размера (файл с расширением CoDe).
  • ВЫ ДОЛЖНЫ ПРИСЛАТЬ 2 ФАЙЛА: Файлы зaшифpoваны.txt, зaшифpoваный файл.
  • В ответ придет оригинальный файл и инструкция для оплаты.
  • Ответ на Ваше письмо придет в течение 1-36 часов.
  • Если ответ не приходит более 36 часов - отпишите на резервную почту g%removed%m
  • ---
  • 1%removed%E
  • ---
  • 2%removed%F
Other information

The trojan creates the following files:

  • %drive%\­wiNtmp\­pass_a
  • %drive%\­wiNtmp\­pass_2
  • %drive%\­wiNtmp\­passA
  • %drive%\­wiNtmp\­passB
  • %drive%\­wiNtmp\­MyKeys_A
  • %drive%\­wiNtmp\­MyKeys_B
  • %drive%\­wiNtmp\­za.bat

The following files are deleted:

  • %drive%\­wiNtmp\­bmrsa.exe
  • %drive%\­wiNtmp\­pass_a
  • %drive%\­wiNtmp\­pass_2
  • %drive%\­wiNtmp\­MyKeys_A
  • %drive%\­wiNtmp\­MyKeys_B
  • %drive%\­wiNtmp\­za.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.