Win32/Filecoder.Phobos [Threat Name] go to Threat
Win32/Filecoder.Phobos.C [Threat Variant Name]
Category | trojan |
Size | 58368 B |
Aliases | Ransom:Win32/Phobos.V!MTB (Microsoft) |
Ransom.Crysis (Symantec) | |
Trojan.Encoder.31034 (Dr.Web) |
Short description
Win32/Filecoder.Phobos.C is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed the trojan copies itself in the following locations:
- %localappdata%\%originalmalwarefilename%
- %startup%\%originalmalwarefilename%
- %commonaltstartup%\%originalmalwarefilename%
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%originalmalwarefilename%" = "%localappdata%\%originalmalwarefilename%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%originalmalwarefilename%" = "%localappdata%\%originalmalwarefilename%"
This causes the trojan to be executed on every system start.
Payload information
Win32/Filecoder.Phobos.C is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files from the following directories:
- %programdata%\microsoft\windows\caches
- %windir%
It avoids files with the following filenames:
- boot.ini
- bootfont.bin
- ikjgf.txt
- info.hta
- info.txt
- io.sys
- ntdetect.com
- ntldr
It avoids files with the following extensions:
- .actin
- .Acton
- .actor
- .Acuff
- .Acuna
- .acute
- .adage
- .Adair
- .Adame
- .banhu
- .banjo
- .Banks
- .Banta
- .Barak
- .bbc
- .blend
- .bqux
- .Caleb
- .Cales
- .Caley
- .calix
- .Calle
- .Calum
- .Calvo
- .CAPITAL
- .com
- .DDoS
- .deuce
- .Dever
- .devil
- .Devoe
- .Devon
- .Devos
- .dewar
- .eight
- .eject
- .eking
- .Elbie
- .elbow
- .elder
- .help
- .KARLOS
- .karma
- .mamba
- .phobos
- .phoenix
- .PLUT
- .WALLET
The trojan encrypts the file content.
An additional ".id[%variable1%-%variable2%].[%emailaddress%].dewar" extension is appended.
A string with variable content is used instead of %variable1%, %variable2% .
The RSA, AES encryption algorithm is used.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The following files are dropped:
- %drive%\info.txt
- %desktop%\info.txt
- %commondesktopdirectory%\info.txt
It contains the following text:
The following files are dropped:
- %drive%\info.hta
- %desktop%\info.hta
- %commondesktopdirectory%\info.hta
The trojan executes the following commands:
- %drive%\info.hta
- %desktop%\info.hta
- %commondesktopdirectory%\info.hta
Some examples follow.
Other information
The trojan executes the following commands:
- vssadmin delete shadows /all /quiet
- wmic shadowcopy delete
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- bcdedit /set {default} recoveryenabled no
- wbadmin delete catalog -quiet
- netsh advfirewall set currentprofile state off
- netsh firewall set opmode mode=disable
The trojan terminates processes with any of the following strings in the name:
- agntsvc.exe
- agntsvc.exe
- dbeng50.exe
- dbsnmp.exe
- encsvc.exe
- excel.exe
- firefoxconfig.exe
- infopath.exe
- isqlplussvc.exe
- msaccess.exe
- msftesql.exe
- mspub.exe
- mydesktopqos.exe
- mydesktopservice.exe
- mysqld.exe
- mysqld-nt.exe
- mysqld-opt.exe
- ocautoupds.exe
- ocomm.exe
- ocssd.exe
- onenote.exe
- oracle.exe
- outlook.exe
- powerpnt.exe
- sqbcoreservice.exe
- sqlagent.exe
- sqlbrowser.exe
- sqlserver.exe
- sqlwriter.exe
- steam.exe
- synctime.exe
- tbirdconfig.exe
- thebat.exe
- thebat64.exe
- thunderbird.exe
- visio.exe
- winword.exe
- wordpad.exe
- xfssvccon.exe
The trojan configuration may be loaded from a separate file. It may affect the behavior of the trojan .