Win32/Filecoder.RSAUtil [Threat Name] go to Threat

Win32/Filecoder.RSAUtil.A [Threat Variant Name]

Category trojan
Size 455680 B
Detection created May 09, 2017
Detection database version 15386
Aliases Trojan:Win32/Vagger!rfn (Microsoft)
  Ransom_DONTSLIP.A (TrendMicro)
Short description

Win32/Filecoder.RSAUtil.A is a trojan that encrypts files on fixed and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SystemCrp" = "%malwarefilepath%"

The trojan creates the following files:

  • %desktop%\­DECODE_ALL_FILES.bat
  • %malwarefolder%\­How_return_files.txt (676 B)
Payload information

Win32/Filecoder.RSAUtil.A is a trojan that encrypts files on fixed and network drives.


It avoids files which contain any of the following strings in their path:

  • tmp
  • winnt
  • Application Data
  • AppData
  • Program Files (x86)
  • Program Files
  • temp
  • thumbs.db
  • $Recycle.Bin
  • System Volume Information
  • Boot
  • bootmgr
  • Windows
  • How_return_files.txt
  • DECODE_ALL_FILES.bat

The AES, RSA encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %originalfilename%.%variable1%.ID%variable2%

A string with variable content is used instead of %variable1-2% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


When searching the drives, the trojan creates the following file in every folder visited:

  • How_return_files.txt

It contains the following text:

  • OUR FILES ARE DECRIPTED
  • Your documents,photos,database,save games and other important data was encrypted.
  • Data recovery the necessary interpreter.To get the interpreter,should send an email to helppme@india.com  or   hepl1112@aol.com.
  • In a letter to include Your personal ID(see the beginning of this document).
  • In response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.
  • When money transfer is confirmed,You will receive the decrypter file for Your computer.
  • After starting the programm-interpreter,all Your files will be restored.
  • Attention! Do not attempt to remove a program or run the anti-virus tools.
Other information

The trojan creates the following file:

  • %malwarefolder%\­image.jpg (36,485 B)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%malwarefolder%\­image.jpg"
    • "TileWallpaper" = 0

This file/image is set as a wallpaper. It contains the following text:

The trojan may display the following dialog windows:

Please enable Javascript to ensure correct displaying of this content and refresh this page.