Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.BQ [Threat Variant Name]
| Category | trojan |
| Size | 719360 B |
| Aliases | Trojan-Ransom.Win32.Blocker.cggx (Kaspersky) |
| Trojan:Win32/Crilock.A (Microsoft) | |
| Trojan.Gpcoder.G (Symantec) | |
| TROJ_CRILOCK.AA (TrendMicro) | |
| CryptoLocker |
Short description
Win32/Filecoder.BQ is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the MoneyPak, Ukash, cashU, Bitcoin payment service.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\{%clsid%}.exe
The file is then executed.
A string with variable content is used instead of %clsid% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "CryptoLocker" = "%appdata%\{%clsid%}.exe"
The trojan displays the following dialog box:
Some examples follow.
After the installation is complete, the trojan deletes the original executable file.
Payload information
Win32/Filecoder.BQ is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- *.odt
- *.ods
- *.odp
- *.odm
- *.odc
- *.odb
- *.doc
- *.docx
- *.docm
- *.wps
- *.xls
- *.xlsx
- *.xlsm
- *.xlsb
- *.xlk
- *.ppt
- *.pptx
- *.pptm
- *.mdb
- *.accdb
- *.pst
- *.dwg
- *.dxf
- *.dxg
- *.wpd
- *.rtf
- *.wb2
- *.mdf
- *.dbf
- *.psd
- *.pdd
- *.eps
- *.ai
- *.indd
- *.cdr
- ????????.jpg
- ????????.jpe
- img_*.jpg
- *.dng
- *.3fr
- *.arw
- *.srf
- *.sr2
- *.bay
- *.crw
- *.cr2
- *.dcr
- *.kdc
- *.erf
- *.mef
- *.mrw
- *.nef
- *.nrw
- *.orf
- *.raf
- *.raw
- *.rwl
- *.rw2
- *.r3d
- *.ptx
- *.pef
- *.srw
- *.x3f
- *.der
- *.cer
- *.crt
- *.pem
- *.pfx
- *.p12
- *.p7b
- *.p7c
The trojan encrypts the file content.
The AES, RSA encryption algorithm is used.
The password is stored on the attacker's server.
To decrypt files, the user is asked to send information/certain amount of money via the MoneyPak, Ukash, cashU, Bitcoin payment service.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The trojan generates various URL addresses. The HTTP protocol is used.
The trojan keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Software\CryptoLocker\VersionInfo]
- [HKEY_CURRENT_USER\Software\CryptoLocker\PublicKey]
- [HKEY_CURRENT_USER\Software\CryptoLocker\PrivateKey]
- [HKEY_CURRENT_USER\Software\CryptoLocker\Files]