Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.CZ [Threat Variant Name]

Category trojan
Size 13824 B
Detection created Sep 16, 2014
Detection database version 10425
Aliases Trojan.Gen (Symantec)
Short description

Win32/Filecoder.CZ is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan creates the following file:

  • %temp%\­sd.vbs

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gpc" = "%temp%\­sd.vbs"

After the installation is complete, the trojan deletes the original executable file.

Payload information

Win32/Filecoder.CZ is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .7z
  • .abk
  • .abd
  • .acad
  • .arh
  • .arj
  • .ace
  • .arx
  • .asm
  • .bz
  • .bz2
  • .bak
  • .bcb
  • .c
  • .cc
  • .cdb
  • .cdw
  • .cdr
  • .cer
  • .cgi
  • .chm
  • .cnt
  • .cpp
  • .css
  • .csv
  • .db
  • .db1
  • .db2
  • .db3
  • .db4
  • .dba
  • .dbb
  • .dbc
  • .dbd
  • .dbe
  • .dbf
  • .dbt
  • .dbm
  • .dbo
  • .dbq
  • .dbx
  • .dco
  • .djvu
  • .doc
  • .docx
  • .docm
  • .dotx
  • .dotm
  • .dok
  • .dpr
  • .dwg
  • .dxf
  • .ebd
  • .eml
  • .eni
  • .ert
  • .fax
  • .fb2
  • .flb
  • .frm
  • .frt
  • .frx
  • .frg
  • .gtd
  • .gz
  • .gzip
  • .gfa
  • .gfr
  • .gfd
  • .gif
  • .h
  • .hnc
  • .hne
  • .inc
  • .igs
  • .iges
  • .jar
  • .jad
  • .java
  • .jbs
  • .jks
  • .jpg
  • .jpeg
  • .jfif
  • .jpe
  • .js
  • .jsp
  • .hpp
  • .htm
  • .html
  • .key
  • .kwm
  • .ldif
  • .lst
  • .lsp
  • .lzh
  • .lzw
  • .ldr
  • .man
  • .mdb
  • .mht
  • .mmf
  • .mns
  • .mnb
  • .mnu
  • .mo
  • .msb
  • .msg
  • .mxl
  • .old
  • .ova
  • .ovf
  • .p12
  • .pak
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .php3
  • .php4
  • .pl
  • .pptx
  • .pptm
  • .png
  • .potx
  • .potm
  • .ppam
  • .ppsx
  • .ppsm
  • .prf
  • .pgp
  • .prx
  • .psd
  • .pst
  • .pw
  • .pwa
  • .pwl
  • .pwm
  • .pm3
  • .pm4
  • .pm5
  • .pm6
  • .rar
  • .rmr
  • .rtf
  • .safe
  • .sar
  • .sig
  • .sql
  • .tar
  • .tc
  • .tbb
  • .tbk
  • .tdf
  • .tgz
  • .tib
  • .txt
  • .uue
  • .vb
  • .vcf
  • .vdi
  • .vmc
  • .vmdk
  • .vmx
  • .vmtm
  • .wab
  • .xls
  • .xlsx
  • .xlsm
  • .xltx
  • .xltm
  • .xlsb
  • .xlam
  • .xml
  • .zip

Only folders which do not contain one of the following string in their path are searched:

  • Program File
  • %windir%

The trojan encrypts the file content.


The RSA, RC2 encryption algorithm is used.


The extension of the encrypted files is changed to:

  • ._crypt

The trojan creates the following file:

  • %currentfolder%\­!_read_me_.txt

It contains the following text:

  • Your files was blocked because of copyright violation, you can't access your files.
  • Please visit %attackersurl% for more information and follow step by step instructions.
  • === KEY ===
  • %data%
  • === END ===

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan hooks the following Windows APIs:

  • ZwConnectPort (ntdll.dll)
  • ZwAlpcConnectPort (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.