Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.R [Threat Variant Name]
Available cleaner [Download Filecoder.R Cleaner ]
| Category | trojan |
| Size | 367503 B |
| Aliases | Trojan-Ransom.Win32.Rector.aw (Kaspersky) |
| Ransom!dk.trojan (McAfee) | |
| Trojan:Win32/Comame (Microsoft) |
Short description
Win32/Filecoder.R is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan creates the following files:
- C:\Program Files\Adobe Systems,inc\Adobe Flash Video\svchost.exe (659456 B, Win32/Filecoder.R)
- C:\Program Files\Adobe Systems,inc\Adobe Flash Video\mess.bat (76 B, Win32/Filecoder.R)
- C:\Program Files\Adobe Systems,inc\Adobe Flash Video\site.bat (59 B, Win32/Filecoder.R)
- C:\Program Files\Adobe Systems,inc\Adobe Flash Video\mmm.bat (17 B)
- C:\hehe.jpg (156286 B)
- %currentfolder%\mmm.bat (17 B)
- %startup%\inf.txt (135 B)
The files are then executed.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE]
- "oplata" = "1"
After the installation is complete, the trojan deletes the original executable file.
Payload information
Win32/Filecoder.R is a trojan that encrypts files on local drives.
The trojan searches local drives for files with the following file extensions:
- .3gp
- .7z
- .chm
- .doc
- .docx
- .dot
- .dpr
- .eml
- .htm
- .html
- .iso
- .jbc
- .jpeg
- .jpg
- .mif
- .mmm
- .mp4
- .php
- .pot
- .pps
- .ppsx
- .ppt
- .pptx
- .rar
- .rtf
- .txt
- .vb
- .vbp
- .xls
- .zip
The trojan encrypts the file content.
Only following folders are searched:
- c:\
- d:\
- e:\
- f:\
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Other information
The trojan opens the following URLs in Internet Explorer :
- http://fileback.totalh.com/
The trojan displays the following picture:
