Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.AA [Threat Variant Name]

Available cleaner [Download Filecoder.AA Cleaner ]

Category trojan
Size 973512 B
Detection created Dec 26, 2011
Signature database version 6744
Aliases Trojan-Dropper.Win32.Delf.jxc (Kaspersky)
  Trojan:Win32/Comame (Microsoft)
  Trojan.ADH (Symantec)
Short description

Win32/Filecoder.AA is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan creates the following files:

  • %startup%\­ФАЙЛЫ.txt (57 B)
  • %appdata%\­Obsidium\­{0ECB7C82-6C708AEA-68A1344C-7B4EF891} (72 B)
  • %temp%\­$inst\­2.tmp (36 B)
  • %programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­msg.vbs (93 B)
  • %programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­stata.bat (54 B)
  • %programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­svchost.exe (776192 B)
  • C:\­nnn.jpg (156286 B)

The trojan may create the following files:

  • %programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­vvv.bat

The trojan can create copies of itself as an ADS (Alternative Data Stream) of the following files:

  • %programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­svchost.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­Adobe Flash Video 3]
    • "DisplayName" = "Adobe Flash Video 3"
    • "DisplayVersion" = "3"
    • "VersionMajor" = 3
    • "Publisher" = "Asobe Systems.inc"
    • "DisplayIcon" = "%programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­Uninstall.exe"
    • "UninstallString" = "%programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­Uninstall.exe"
    • "InstallLocation" = "%programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­"
    • "InstallSource" = ""
    • "InstallDate" = "%installationdate%"
    • "Language "= 1049
    • "EstimatedSize" = 758
    • "NoModify" = 1
    • "NoRepair" = 1
  • [HKEY_CURRENT_USER\­Software\­Obsidium]
    • "(Default)" = "87E7BDE3"
  • [HKEY_CURRENT_USER\­Software\­Obsidium\­{0ECB7C82-6C708AEA-68A1344C-7B4EF891}]
    • "Settings" = %binarydata%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}]
    • "(Default)" = "%variable1%"
    • "AppID" = "{6E82CB0D-9EAC-1A65-3878-3AB571543AB5}"
    • "InprocServer32"="%system%\­%variable2%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\­InprocServer32]
    • "ThreadingModel"="Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\­ProgID]
    • "(Default)" ="%variable3%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\­TypeLib]
    • "(Default)" ="%variable4%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\­VersionIndependentProgID]
    • "(Default)" ="%variable5%"
  • [HKEY_LOCAL_MACHINE\­Software]
    • "web"="1"
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper"="c:\­nnn.jpg"
    • "TileWallpaper"="0"

A string with variable content is used instead of %variable1-5% .


The trojan displays the following dialog box:

The trojan displays the following picture:

Payload information

Win32/Filecoder.AA is a trojan that encrypts files on local drives.


If the current system date matches the condition, files with the following file extension will be encrypted:

  • .doc
  • .docx
  • .jpg
  • .jpeg
  • .mp4
  • .pdf
  • .pot
  • .pps
  • .pptx
  • .rtf
  • .xls
  • .xlsx

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


Other information

The trojan may delete the following files:

  • %programfiles%\­Asobe Systems.inc\­Adobe Flash Video\­svchost.exe

The trojan opens the following URLs in Internet Explorer :

  • http://moops.sooot.cn

Please enable Javascript to ensure correct displaying of this content and refresh this page.