Win32/Filecoder.Coverton [Threat Name] go to Threat

Win32/Filecoder.Coverton.A [Threat Variant Name]

Category trojan
Size 36864 B
Aliases Trojan.Ransomcrypt.AF (Symantec)
Short description

Win32/Filecoder.Coverton.A is a trojan that encrypts files on fixed, removable and network drives.

Installation

When executed the trojan copies itself in the following locations:

  • %system%\­crrss.exe
  • %userprofile%\­%malwarefilename%

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "crrss" = "%system%\­crrss.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%userprofile%\­%malwarefilename%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit, %system%\­crrss.exe"

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %userprofile%\­%malwarefilename%

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­CharMap]
    • "Guid" = "17ef6ea43b8c4f8312ff0c"
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • operating system version
  • list of disk devices and their type
  • language settings
  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Payload information

Win32/Filecoder.Coverton.A is a trojan that encrypts files on fixed, removable and network drives.


The performed action depends entirely on data the trojan receives from the Internet.


The extension of the encrypted files is changed to:

  • .Coverton

It avoids files which contain any of the following strings in their path:

  • temp
  • windows
  • Program
  • Microsoft
  • RECYCLE
  • cache
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • uninstall itself
  • encrypt selected files

It may play the following text in a spoken voice:

  • Attention! Attention! Attention!
  • Your documents, photos, databases and other important files have been encrypted!

The trojan uses the Microsoft Speech technology.


The trojan executes the following commands:

  • vssadmin.exe /delete shadows /all /quiet
  • Schtasks /Create /f /TN "\­Games\­-ans\­xF0" /TR "%userprofile%\­%malwarefilename%" /SC MINUTE /MO 1

Please enable Javascript to ensure correct displaying of this content and refresh this page.