Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.ED [Threat Variant Name]

Category trojan
Size 882176 B
Detection created Jan 08, 2015
Signature database version 10982
Aliases Backdoor.Win32.Androm.gcuz (Kaspersky)
Short description

Win32/Filecoder.ED is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %commonappdata%\­Windows\­csrss.exe
  • %appdata%\­Windows\­csrss.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Client Server Runtime Subsystem" = "%malwarefolder%\­csrss.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Client Server Runtime Subsystem" = "%malwarefolder%\­csrss.exe"

In order to be executed on every system start, the trojan creates the following file:

  • %startup%\­csrss.lnk
Payload information

Win32/Filecoder.ED is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .3ds
  • .3fr
  • .3g2
  • .3gp
  • .7z
  • .accda
  • .accdb
  • .accdc
  • .accde
  • .accdt
  • .accdw
  • .adb
  • .adp
  • .ai
  • .ai3
  • .ai4
  • .ai5
  • .ai6
  • .ai7
  • .ai8
  • .anim
  • .arw
  • .as
  • .asa
  • .asc
  • .ascx
  • .asm
  • .asmx
  • .asp
  • .aspx
  • .asr
  • .asx
  • .avi
  • .avs
  • .backup
  • .bak
  • .bay
  • .bd
  • .bin
  • .bmp
  • .bz2
  • .c
  • .cdr
  • .cer
  • .cfc
  • .cfm
  • .cfml
  • .chm
  • .cin
  • .class
  • .config
  • .cpp
  • .cr2
  • .crt
  • .crw
  • .cs
  • .css
  • .csv
  • .cub
  • .dae
  • .dat
  • .dbf
  • .dc3
  • .dcm
  • .dcr
  • .der
  • .dib
  • .dic
  • .dif
  • .divx
  • .djvu
  • .dng
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dpx
  • .dqy
  • .dsn
  • .dtd
  • .dwg
  • .dwt
  • .dx
  • .dxf
  • .edml
  • .emf
  • .emz
  • .eps
  • .epsf
  • .epsp
  • .erf
  • .exr
  • .f4v
  • .fido
  • .flm
  • .flv
  • .frm
  • .fxg
  • .gif
  • .gz
  • .h
  • .hdr
  • .hpp
  • .hta
  • .htc
  • .htm
  • .html
  • .icb
  • .ics
  • .iff
  • .inc
  • .indd
  • .ini
  • .iqy
  • .j2c
  • .j2k
  • .java
  • .jp2
  • .jpc
  • .jpe
  • .jpeg
  • .jpf
  • .jpg
  • .jpx
  • .js
  • .jsf
  • .json
  • .jsp
  • .kdc
  • .kmz
  • .lasso
  • .lbi
  • .m1v
  • .m4a
  • .m4v
  • .max
  • .mda
  • .mdb
  • .mde
  • .mdf
  • .mdw
  • .mef
  • .mfw
  • .mht
  • .mhtml
  • .mka
  • .mkidx
  • .mkv
  • .mos
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .mpv
  • .mrw
  • .msg
  • .myd
  • .myi
  • .nef
  • .nrw
  • .obj
  • .odb
  • .odm
  • .odp
  • .ods
  • .oft
  • .one
  • .onepkg
  • .onetoc2
  • .opt
  • .oqy
  • .orf
  • .p12,
  • .p7b
  • .p7c
  • .pam
  • .pbm
  • .pct
  • .pcx
  • .pdd
  • .pdd
  • .pdf
  • .pdp
  • .pef
  • .pem
  • .pfm
  • .pfx
  • .pgm
  • .php
  • .php3
  • .php4
  • .php5
  • .phtml
  • .pict
  • .pl
  • .pls
  • .pm
  • .png
  • .pnm
  • .pot
  • .potm
  • .potx
  • .ppa
  • .ppam
  • .ppm
  • .pps
  • .ppsm
  • .ppt
  • .pptm
  • .pptx
  • .prn
  • .ps
  • .psb
  • .psd
  • .pst
  • .ptx
  • .pub
  • .pxr
  • .py
  • .qt
  • .r3d
  • .raf
  • .rar
  • .raw
  • .rdf
  • .rgbe
  • .rle
  • .rqy
  • .rss
  • .rtf
  • .rw2
  • .rwl
  • .sct
  • .sdpx
  • .shtm
  • .shtml
  • .slk
  • .sln
  • .sql
  • .sr2
  • .srf
  • .srw
  • .ssi
  • .stm
  • .svg
  • .svgz
  • .swf
  • .tab
  • .tar
  • .tdi
  • .tga
  • .thmx
  • .tif
  • .tiff
  • .tld
  • .torrent
  • .tpl
  • .txt
  • .u3d
  • .udl
  • .uxdc
  • .vb
  • .vbs
  • .vcs
  • .vda
  • .vdr
  • .vdw
  • .vdx
  • .vsd
  • .vss
  • .vst
  • .vsw
  • .vsx
  • .vtm
  • .vtml
  • .vtx
  • .wav
  • .wb2
  • .wbm
  • .wbmp
  • .wim
  • .wmf
  • .wml
  • .wmv
  • .wpd
  • .wps
  • .x3f
  • .xl
  • .xla
  • .xlam
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xml
  • .xps
  • .xsd
  • .xsf
  • .xsl
  • .xslt
  • .xsn
  • .xtp
  • .xtp2
  • .xyze
  • .xz
  • .zip

The trojan encrypts the file content.


The AES, RSA encryption algorithm is used.


The password is stored on the attacker's server.


The extension of the encrypted files is changed to:

  • .xtbl

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The following file is dropped:

  • %appdata%\­%variable%.bmp (2359350 B)

This file/image is set as a wallpaper.

The following files are dropped:

  • %rootfolder%\­README%number%.txt (903 B)
  • %desktop%\­README%number%.txt (903 B)

A variable numerical value is used instead of %number% .


The written data contains the following string:

  • Ваши файлы были зашифрованы.
  • Чтобы расшифровать их, Вам необходимо отправить код:
  • %variable%
  • на электронный адрес desh%removed%01@gmail.com или desh%removed%@india.com .
  • Далее вы получите все необходимые инструкции.
  • Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.
  • All the important files on your computer were encrypted.
  • To decrypt the files you should send the following code:
  • %variable%
  • to e-mail address desh%removed%01@gmail.com or desh%removed%@india.com .
  • Then you will receive all necessary instructions.
  • All the attempts of decryption by yourself will result only in irrevocable loss of your data.

A string with variable content is used instead of %variable% .

Other information

The trojan contains a list of (4) URL addresses.


It can send various information about the infected computer to an attacker.


The TOR protocol is used in the communication.


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­System32\­Configuration]
    • "i" = "%variable%"
    • "Version" = "%variable%"
    • "mode" = "%variable%"
    • "pk" = "%variable%"
    • "state" = "%variable%"
    • "cnt" = "%variable%"
    • "wp" = "%variable%"

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.