BAT/Filecoder [Threat Name] go to Threat
BAT/Filecoder.AQ [Threat Variant Name]
| Category | trojan |
| Size | 8356 B |
| Aliases | Trojan-Ransom.BAT.Agent.ar (Kaspersky) |
| BAT.Encoder.46 (Dr.Web) | |
| BV:Agent-AUQ (Avast) |
Short description
BAT/Filecoder.AQ is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan tries to download several files from the Internet.
The files are stored in the following locations:
- %currentfolder%\pgp.exe
- %currentfolder%\pubring.pgp
- %currentfolder%\randseed.bin
- %currentfolder%\pgp.bat
- %currentfolder%\Rar.exe
- %currentfolder%\wsystem.bat
- C:\qtemp\hid.vbs
The trojan creates the following files:
- %currentfolder%\pass
- %currentfolder%\pass.asc
- C:\qtemp\push.vbs
The trojan executes the following files:
- %currentfolder%\pgp.bat
- C:\qtemp\push.vbs
- C:\qtemp\hid.vbs
The trojan tries to move file (source, destination):
- %currentfolder%\pass, C:\qtemp\pass
- %currentfolder%\pass.asc, C:\qtemp\pass.asc
- %currentfolder%\Rar.exe, C:\qtemp\Rar.exe
- %currentfolder%\wsystem.bat, C:\qtemp\wsystem.bat
The trojan may delete the following files:
- %currentfolder%\pgp.bat
- %currentfolder%\pgp.exe
- %currentfolder%\pubring.pgp
- %currentfolder%\randseed.bin
- C:\qtemp\pass
Payload information
The trojan encrypts files on local disks.
The trojan searches local drives for files with the following file extensions:
- .1CD
- .4db
- .4dd
- .adp
- .arw
- .cdr
- .cdx
- .cer
- .dbf
- .doc
- .dwg
- .dxb
- .eps
- .jpeg
- .jpg
- .lzh
- .mbd
- .mdb
- .mdf
- .odb
- .pdd
- .pdm
- .pek
- .pfx
- .ppt
- .psd
- .rtf
- .sql
- .tif
- .txt
- .wbd
- .wps
- .xld
- .xls
- .xml
- .zip
The trojan executes the following command:
- C:\qtemp\rar.exe a -dw -p%password% "%file%".rAr "%file%"
The extension of the encrypted files is changed to:
- .rAr
The trojan creates the following file:
- %file%.read
It contains the following text:
- -----BEGIN PGP MESSAGE-----
- Version: 2.6.3i
- hIwDhcZgxQxzJm0BBACSQjEpymig33nAKwaCN6pFASejRiZesFtbKgc5KOtVI82Z
- %removed%Q1ebscDATluw9TiDtW0DQ/5ewg==
- %removed%
- -----END PGP MESSAGE-----
- Инф-ия блокирована. Стоимость возвращения в исходное состояние десять тысяч p
- Для возвращения инф-ии в исходный вид пришлите на эл. почту 2 файла:
- Первый файл - который сейчас читаете; второй - один файл с расширением rAr небольшого размера
- Обратно придет оригинальный файл и способ оплаты
- После завершения расчетов придет программа для восстановления данных и пароль на все файлы
- %removed%@gmail.com
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Other information
The trojan may display a fake error message:
