Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.Q [Threat Variant Name]
Available cleaner [Download Filecoder.Q Cleaner ]
| Category | trojan |
| Size | 10752 B |
| Aliases | Trojan-Ransom.Win32.Xorist.bl (Kaspersky) |
| Trojan.Encoder.94 (Dr.Web) |
Short description
Win32/Filecoder.Q is a trojan that encrypts files on local drives. To decrypt files the user is requested to send an SMS message to a specified telephone number in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %temp%\Once80hZ5rGdP5v.exe
The trojan creates the following files:
- %drive%\HOW TO DECRYPT FILES.txt
- %drive%\КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt
The trojan writes the following entries to the file:
The following Registry entries are created:
- [HKEY_CLASSES_ROOT\.EnCrYpTeD]
- "(Default)" = "GUKTBGWHTVSZAZZ"
- [HKEY_CLASSES_ROOT\GUKTBGWHTVSZAZZ]
- "(Default)" = "CRYPTED!"
- [HKEY_CLASSES_ROOT\GUKTBGWHTVSZAZZ\DefaultIcon]
- "(Default)" = "%temp%\Once80hZ5rGdP5v.exe, 0"
- [HKEY_CLASSES_ROOT\GUKTBGWHTVSZAZZ\shell\open\command]
- "(Default)" = "%temp%\Once80hZ5rGdP5v.exe"
Payload information
Win32/Filecoder.Q is a trojan that encrypts files on local drives.
The trojan searches local drives for files with the following file extensions:
- .zip
- .rar
- .7z
- .tar
- .gzip
- .jpg
- .jpeg
- .psd
- .cdr
- .dwg
- .max
- .bmp
- .gif
- .png
- .doc
- .docx
- .xls
- .xlsx
- .ppt
- .pptx
- .txt
- .djvu
- .htm
- .html
- .mdb
- .cer
- .p12
- .pfx
- .kwm
- .pwm
- .1cd
- .md
- .mdf
- .dbf
- .odt
- .vob
- .ifo
- .lnk
- .torrent
- .mov
- .m2v
- .3gp
- .mpeg
- .mpg
- .flv
- .avi
- .mp4
- .wmv
- .divx
- .mkv
- .mp3
- .wav
- .flac
- .ape
- .wma
- .ac3
When the trojan finds a file matching the search criteria, it creates its duplicate.
The file name and extension of the newly created file is derived from the original one.
An additional ".EnCrYpTeD" extension is appended.
The trojan then deletes found files.
Other information
The trojan displays the following dialog boxes:
