Win32/Diskcoder.Petya [Threat Name] go to Threat

Win32/Diskcoder.Petya.D [Threat Variant Name]

Category trojan
Detection created Dec 06, 2016
Signature database version 14560
Short description

Win32/Diskcoder.Petya.D is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­{%randomuuid%}\­%variable%.exe

A string with variable content is used instead of %randomuuid%, %variable% .


This copy of the trojan is then executed.


The trojan creates the following files:

  • %temp%\­%variable1%\­%variable2%.dll
  • %systemroot%\­system32\­%variable3%\­%variable4%.exe
  • %systemroot%\­system32\­%variable3%\­%variable2%.dll

A string with variable content is used instead of %variable1-4% .


The trojan may create the text file:

  • YOUR_FILES_ARE_ENCRYPTED.txt (778 B)

The file is copied in the following folders as well:

  • %userprofile%
  • %userprofile%\­Desktop\­
  • %userprofile%\­Downloads\­
  • %userprofile%\­Documents\­
  • %public%
  • %remotedrive%
  • %removabledrive%

Win32/Diskcoder.Petya.D replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Payload information

The trojan searches local, removable and network drives for files with one of the following extensions:

  • 3dm
  • 3ds
  • 3fr
  • 3g2
  • 3ga
  • 3gp
  • a2c
  • aa
  • aa3
  • aac
  • accdb
  • aepx
  • ai
  • aif
  • amr
  • ape
  • apnx
  • ari
  • arw
  • asf
  • asp
  • aspx
  • asx
  • avi
  • azw
  • azw1
  • azw3
  • azw4
  • bak
  • bat
  • bay
  • bin
  • bmp
  • camproj
  • cat
  • ccd
  • cdi
  • cdr
  • cer
  • cert
  • cfg
  • cgi
  • class
  • cmf
  • cnf
  • conf
  • config
  • cpp
  • cr2
  • crt
  • crw
  • crwl
  • cs
  • csv
  • cue
  • dash
  • dat
  • db
  • dbf
  • dcr
  • dcu
  • dds
  • default
  • der
  • dfm
  • directory
  • disc
  • dmg
  • dng
  • doc
  • docm
  • docx
  • dtd
  • dvd
  • dwg
  • dxf
  • eip
  • emf
  • eml
  • eps
  • epub
  • erf
  • fff
  • flv
  • frm
  • gfx
  • gif
  • gzip
  • h
  • htm
  • html
  • idl
  • iiq
  • indd
  • inf
  • iso
  • jar
  • java
  • jfif
  • jge
  • jpe
  • jpeg
  • jpg
  • js
  • json
  • jsp
  • k25
  • kdc
  • key
  • ldf
  • lit
  • localstorage
  • m3u
  • m4a
  • m4v
  • max
  • mdb
  • mdf
  • mef
  • mkv
  • mobi
  • mov
  • movie
  • mp1
  • mp2
  • mp3
  • mp4
  • mp4v
  • mpa
  • mpe
  • mpeg
  • mpg
  • mpv2
  • mrw
  • msg
  • mts
  • mui
  • myi
  • nef
  • nrg
  • nri
  • nrw
  • number
  • obj
  • odb
  • odc
  • odf
  • odm
  • odp
  • ods
  • odt
  • ogg
  • orf
  • ost
  • p12
  • p12
  • p7b
  • p7c
  • pages
  • pas
  • pbk
  • pdd
  • pdf
  • pef
  • pem
  • pfx
  • php
  • png
  • po
  • pps
  • ppt
  • pptm
  • pptx
  • prf
  • props
  • ps
  • psd
  • pspimage
  • pst
  • ptx
  • pub
  • py
  • qt
  • r3d
  • ra
  • raf
  • ram
  • rar
  • raw
  • result
  • rll
  • rm
  • rpf
  • rtf
  • rw2
  • rwl
  • sql
  • sqlite
  • sqllite
  • sr2
  • srf
  • srt
  • srw
  • svg
  • swf
  • tga
  • tiff
  • toast
  • ts
  • txt
  • vbs
  • vcd
  • vlc
  • vmdk
  • vmx
  • vob
  • wav
  • wb2
  • wdb
  • wma
  • wmv
  • wpd
  • wps
  • x3f
  • xlk
  • xls
  • xlsb
  • xlsm
  • xlsx
  • xml
  • xps
  • xsl
  • yml
  • yuv
  • zip

The trojan encrypts the file content.


The AES-256 encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %variableextension%

A string with variable content is used instead of %variableextension% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


Win32/Diskcoder.Petya.D is a trojan that encrypts specific parts of drives.


The Salsa20 encryption algorithm is used.


The trojan disguises itself as the "chkdsk.exe" application.


The trojan displays a fake error message:

Some examples follow.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.


Trojan is able to bypass User Account Control (UAC).


The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.