Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.AA [Threat Variant Name]
Available cleaner [Download Filecoder.AA Cleaner ]
Category | trojan |
Size | 973512 B |
Aliases | Trojan-Dropper.Win32.Delf.jxc (Kaspersky) |
Trojan:Win32/Comame (Microsoft) | |
Trojan.ADH (Symantec) |
Short description
Win32/Filecoder.AA is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan creates the following files:
- %startup%\ФАЙЛЫ.txt (57 B)
- %appdata%\Obsidium\{0ECB7C82-6C708AEA-68A1344C-7B4EF891} (72 B)
- %temp%\$inst\2.tmp (36 B)
- %programfiles%\Asobe Systems.inc\Adobe Flash Video\msg.vbs (93 B)
- %programfiles%\Asobe Systems.inc\Adobe Flash Video\stata.bat (54 B)
- %programfiles%\Asobe Systems.inc\Adobe Flash Video\svchost.exe (776192 B)
- C:\nnn.jpg (156286 B)
The trojan may create the following files:
- %programfiles%\Asobe Systems.inc\Adobe Flash Video\vvv.bat
The trojan can create copies of itself as an ADS (Alternative Data Stream) of the following files:
- %programfiles%\Asobe Systems.inc\Adobe Flash Video\svchost.exe
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Video 3]
- "DisplayName" = "Adobe Flash Video 3"
- "DisplayVersion" = "3"
- "VersionMajor" = 3
- "Publisher" = "Asobe Systems.inc"
- "DisplayIcon" = "%programfiles%\Asobe Systems.inc\Adobe Flash Video\Uninstall.exe"
- "UninstallString" = "%programfiles%\Asobe Systems.inc\Adobe Flash Video\Uninstall.exe"
- "InstallLocation" = "%programfiles%\Asobe Systems.inc\Adobe Flash Video\"
- "InstallSource" = ""
- "InstallDate" = "%installationdate%"
- "Language "= 1049
- "EstimatedSize" = 758
- "NoModify" = 1
- "NoRepair" = 1
- [HKEY_CURRENT_USER\Software\Obsidium]
- "(Default)" = "87E7BDE3"
- [HKEY_CURRENT_USER\Software\Obsidium\{0ECB7C82-6C708AEA-68A1344C-7B4EF891}]
- "Settings" = %binarydata%
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}]
- "(Default)" = "%variable1%"
- "AppID" = "{6E82CB0D-9EAC-1A65-3878-3AB571543AB5}"
- "InprocServer32"="%system%\%variable2%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\InprocServer32]
- "ThreadingModel"="Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\ProgID]
- "(Default)" ="%variable3%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\TypeLib]
- "(Default)" ="%variable4%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB7C82-04B8-344C-68A1-A77C48BDA77C}\VersionIndependentProgID]
- "(Default)" ="%variable5%"
- [HKEY_LOCAL_MACHINE\Software]
- "web"="1"
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "Wallpaper"="c:\nnn.jpg"
- "TileWallpaper"="0"
A string with variable content is used instead of %variable1-5% .
The trojan displays the following dialog box:
The trojan displays the following picture:
Payload information
Win32/Filecoder.AA is a trojan that encrypts files on local drives.
If the current system date matches the condition, files with the following file extension will be encrypted:
- .doc
- .docx
- .jpg
- .jpeg
- .mp4
- .pot
- .pps
- .pptx
- .rtf
- .xls
- .xlsx
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Other information
The trojan may delete the following files:
- %programfiles%\Asobe Systems.inc\Adobe Flash Video\svchost.exe
The trojan opens the following URLs in Internet Explorer :
- http://moops.sooot.cn