Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.NEA [Threat Variant Name]

Category trojan
Size 347296 B
Aliases Trojan-Ransom.Win32.Crypren.vnf (Kaspersky)
  Trojan:Win32/Skeeyah.A!rfn (Microsoft)
  Trojan.MulDrop6.716 (Dr.Web)
Short description

Win32/Filecoder.NEA is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions. The file is run-time compressed using RAR SFX .

Installation

When executed, the trojan creates the following files:

  • %userprofile%\­7.exe (107520 B, Win32/Filecoder.NEA)
  • %userprofile%\­7.png (30750 B)

The trojan executes the following files:

  • %userprofile%\­7.exe
Payload information

Win32/Filecoder.NEA is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .3ds
  • .3fr
  • .3pr
  • .7z
  • .ab4
  • .accdb
  • .ai
  • .ait
  • .al
  • .apj
  • .arw
  • .asp
  • .awg
  • .backup
  • .backupdb
  • .bak
  • .bdb
  • .bgt
  • .bik
  • .bkp
  • .blend
  • .bpw
  • .c
  • .cdf
  • .cdr
  • .cdr3
  • .cdr4
  • .cdr5
  • .cdr6
  • .cdrw
  • .cdx
  • .ce1
  • .ce2
  • .cer
  • .cfp
  • .cgm
  • .cib
  • .cls
  • .cmt
  • .cpi
  • .crt
  • .csh
  • .css
  • .csv
  • .dac
  • .db
  • .db3
  • .dbf
  • .db-journal
  • .dc2
  • .dcr
  • .dcs
  • .ddd
  • .ddoc
  • .ddrw
  • .der
  • .design
  • .dgc
  • .djvu
  • .dng
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .drf
  • .drw
  • .dwg
  • .dxb
  • .erbsql
  • .erf
  • .exf
  • .fdb
  • .ffd
  • .fff
  • .fh
  • .fhd
  • .fpx
  • .fxg
  • .gray
  • .grey
  • .gry
  • .h
  • .hbk
  • .hpp
  • .ibank
  • .ibz
  • .idb
  • .idx
  • .iiq
  • .incpas
  • .jpeg
  • .JPEG
  • .jpg
  • .JPG
  • .js
  • .kc2
  • .kdbx
  • .kdc
  • .kpdx
  • .lua
  • .mdb
  • .mdc
  • .mef
  • .mfw
  • .mmw
  • .moneywell
  • .mos
  • .mp3
  • .mpg
  • .mrw
  • .myd
  • .ndd
  • .nef
  • .nop
  • .nrw
  • .ns2
  • .ns3
  • .ns4
  • .nsd
  • .nsf
  • .nsg
  • .nsh
  • .nx1
  • .nx2
  • .nyf
  • .odb
  • .odf
  • .odg
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .otg
  • .oth
  • .otp
  • .ots
  • .ott
  • .p12
  • .p7b
  • .p7c
  • .pat
  • .pcd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pl
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps
  • .psafe3
  • .psd
  • .ptx
  • .ra2
  • .raf
  • .rar
  • .raw
  • .rdb
  • .rtf
  • .rw2
  • .rwl
  • .rwz
  • .s3db
  • .sas7bdat
  • .sav
  • .sda
  • .sdf
  • .sdo
  • .sldm
  • .sldx
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .sr2
  • .srf
  • .srw
  • .st4
  • .st5
  • .st6
  • .st7
  • .st8
  • .stc
  • .std
  • .sti
  • .stw
  • .stx
  • .sxc
  • .sxd
  • .sxg
  • .sxi
  • .sxm
  • .sxw
  • .txt
  • .wb2
  • .x3f
  • .xla
  • .xlam
  • .xll
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .ycbcra
  • .zip

The trojan encrypts the file content.


An additional ".filesdecrypt@india.com" extension is appended.


The RSA, AES encryption algorithm is used.


The trojan creates the following file:

  • %currentfolder%\­help-decrypt-file.enc

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan displays the following dialog boxes:

Please enable Javascript to ensure correct displaying of this content and refresh this page.