MSIL/Filecoder [Threat Name] go to Threat

MSIL/Filecoder.E [Threat Variant Name]

Category trojan
Size 985600 B
Detection created Nov 12, 2013
Signature database version 9082
Aliases Trojan.Win32.Agent.actkj (Kaspersky)
Short description

MSIL/Filecoder.E is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­msunet.exe (985600 B)

The file is then executed.


The trojan may create the following files:

  • %appdata%\­Microsoft\­feed.msft
  • %appdata%\­Microsoft\­fl.msft
  • %appdata%\­Microsoft\­flf.msft
  • %appdata%\­Microsoft\­hsts.msft
  • %appdata%\­Microsoft\­pk.msft
  • %appdata%\­Microsoft\­prk.msft
  • %appdata%\­Microsoft\­st.msft
  • %appdata%\­Microsoft\­tmp_%variable%.msft

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSUpdate" = "%system%\­msunet.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Once]
    • "*MSUpdate" = "%system%\­msunet.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSUpdate" = "%system%\­msunet.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Once]
    • "*MSUpdate" = "%system%\­msunet.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe, %system%\­msunet.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe, %system%\­msunet.exe"

The trojan displays the following dialog box:

The trojan may display the following dialog windows:

Payload information

MSIL/Filecoder.E is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .3fr
  • .accdb
  • .ai
  • .arw
  • .avi
  • .b2
  • .bay
  • .cdr
  • .cer
  • .cr2
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • .flac
  • .indd
  • .jpe
  • .jpg
  • .kdc
  • .mdb
  • .mdf
  • .mef
  • .mp3
  • .mp4
  • .mpg
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pef
  • .pem
  • .pfx
  • .png
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .r3d
  • .raf
  • .raw
  • .rtf
  • .rwl
  • .srf
  • .srw
  • .txt
  • .w
  • .wpd
  • .wps
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx

The trojan encrypts the file content.


The 3DES, RSA encryption algorithm is used.


The password is stored on the attacker's server.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Spreading on removable media

MSIL/Filecoder.E is a trojan that spreads via removable media.


The trojan searches removable drives for files with the following file extensions:

  • .exe

The trojan may replace these files with a copy of itself.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It may perform the following actions:

  • update itself to a newer version
  • run executable files
  • download files from a remote computer and/or the Internet
  • perform DoS/DDoS attacks
  • set up a proxy server
  • display a dialog window

The trojan executes the following files:

  • bfgminer.exe (BFGMiner)

The trojan may steal wallet files of the following digital currencies:

  • Bitcoin

Please enable Javascript to ensure correct displaying of this content and refresh this page.