Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Filecoder.E is a trojan that encrypts files on local drives. To decrypt files the user is requested to send an SMS message to a specified telephone number in exchange for a password/help.
Installation
When executed, the trojan copies itself into the following location:
  • %system%FYKRAGNL.exe
The trojan creates the following files:
  • %system%IIWIPEZIPMPPPJXI
  • %drive%HOW TO DECRYPT FILES.txt
  • %drive%КАК РАСШИФРОВАТЬ ФАЙЛЫ
The following Registry entries are created:
  • [HKEY_CLASSES_ROOT.crypted]
    "(Default)" = "LQWGAQGIVE"
  • [HKEY_CLASSES_ROOTLQWGAQGIVE]
    "(Default)" = "CRYPTED!"
Payload information
Win32/Filecoder.E is a trojan that encrypts files on local drives.

The trojan searches local drives for files with the following file extensions:
  • .3gp
  • .amr
  • .avi
  • .bmp
  • .doc
When the trojan finds a file matching the search criteria, it creates its duplicate.

The file name and extension of the newly created file is derived from the original one. An additional ".crypted" extension is appended.

The trojan encrypts the file content.

The trojan then deletes the original files.
Other information
The trojan displays the following message:
The trojan displays the following dialog box:
The encrypted files can be returned to their original state using the following password:
  • PozdRAvLyAeM
When the correct password is entered the trojan removes itself from the computer.