Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.DG [Threat Variant Name]
|Detection created||Aug 27, 2014|
|Signature database version||10323|
Win32/Filecoder.DG is a trojan that encrypts files on fixed, removable and network drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
When executed, the trojan copies itself into the following location:
Win32/Filecoder.DG is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
Only folders which do not contain one of the following string in their path are searched:
- program files
- program files (x86)
- system volume information
The trojan encrypts the file content.
The extension of the encrypted files is changed to:
The variable %variable% represents a variable 10 digit number.
The AES encryption algorithm is used. The password is stored on the attacker's server.
To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.
The following files are dropped:
- %appdata%\xsmail.bmp (310582 B)
- %startup%\xsmail.bmp (310582 B)
When files encryption is finished, the trojan removes itself from the computer.
The trojan collects the following information:
- computer name
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "TileWallpaper" = "0"
- "Wallpaper" = "%appdata%\xsmail.bmp"
The trojan displays the following picture: