Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.NGQ [Threat Variant Name]
| Category | trojan |
| Size | 1197190 B |
| Aliases | Trojan-Ransom.Win32.Democry.a (Kaspersky) |
| Ransom:Win32/SieteCrypto.A (Microsoft) |
Short description
Win32/Filecoder.NGQ is a trojan that encrypts files on fixed and network drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
Installation
The trojan does not create any copies of itself.
The trojan creates the following files:
- %desktop%\read_this_file.txt
- %temp%\tmp.bmp
Payload information
Win32/Filecoder.NGQ is a trojan that encrypts files on fixed and network drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files with the following extensions:
- .exe
- .777
- .dll
- .msi
It avoids files which contain any of the following strings in their path:
- %rootfolder%
- %windir%
- %programfiles%
- %temp%
It avoids files with size lower then 100 B .
The name of the encrypted file is changed to:
- %originalfilename%._%date_and_time%_$seven_legion@india.com$.777
The following file is dropped into the %desktop% folder:
- read_this_file.txt
It contains the following text:
- FOR DECRYPT FILES
- SEND ONE FILE IN E-MAIL
- seven_legion@india.com
The trojan creates the following file:
- %temp%\tmp.bmp
This file/image is set as a wallpaper.
To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
Other information
The trojan displays the following dialog boxes:
