Threat Database Trojans Trojan.Encoder.6491


By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 2
First Seen: October 13, 2016
Last Seen: January 21, 2022
OS(es) Affected: Windows

The boring name of Trojan.Encoder.6491 hides an interesting story. The Trojan.Encoder.6491 is the first encryption Trojan that is written in Google's Go programming language (a.k.a. golang), which was revealed to the public back in 2009. The Trojan.Encoder.6491 was detected in October 2016 and is reported to masquerade as a security update for the Microsoft Windows systems. The payload of the Trojan.Encoder.6491 is known to use the name 'Windows_Security.exe.' The Trojan.Encoder.6491 ransomware may be delivered to users as spam emails that feature the logo of Microsoft. These messages may resemble the design of, which is the official support page for Windows users. That way the fake 'Windows_Security.exe' update might look legitimate to some computer users.

The Trojan.Encoder.6491 Utilizes Multi-Threading and Takes Advantage of Multi-Core Processors

Malware analysts report that the Trojan.Encoder.6491 ransomware scans the infected PC for 140 types of data containers and can lock files on connected drives. Needless to say, family photos, documents for your work, and databases are more than likely to be encrypted by the Trojan.Encoder.6491. The Trojan.Encoder.6491 ransomware is likely to disrupt the operation of server networks and specialized software for a prolonged period. The coders of the Trojan.Encoder.6491 ransomware designed it to avoid encryption of objects in the following directories:

  • AppData
  • Boot
  • Program Files
  • Program Files (x86)
  • ProgramData
  • Recycle.Bin
  • System Volume Information
  • Windows
  • temp
  • winnt

The Trojan.Encoder.6491 will not Modify the Content of System Folders

The Trojan.Encoder.6491 is similar to the KillerLocker and the Kostya Ransomware. Experts note that the Trojan.Encoder.6491 will not encode data in folders that support the OS and allow users to deliver payment from the infected machine. Files that are modified by Trojan.Encoder.6491 can be recognized easily. The Trojan.Encoder.6491 ransomware uses the base64 encoding to change file names and appends the '.enc' extension to affected data containers. For example, 'vespa_mandarinia_japonica.png' will be converted to 'dmVzcGFfbWFuZGFyaW5pYV9qYXBvbmljYQ==.enc.' The random message is packed as 'instructions.html' and is loaded by the Trojan.Encoder.6491 in the default browser automatically. The message says:

FM your files have been encrypted using AES 256, there Is no way to decrypt than by yourself If you want to decrypt them you have to pay approximately 25$ in Bitcoins to the follow, address:
Amount 0.052300 BTCs
To the address [34 random characters]
Do not worry If you don't know what Bitcoins are, they are an online currency
that Is not regulated by any government, the price changes daily but now is near the 600$ usd dollars
To get some Bitcoins you can go to some of this web pages
- Coinbase
this page you can store your ImIcoms and also buy than using your credit card,
It Is a safe page, you can check it online you aren't sure
This a web where people contact each others to exchange Bitcoins for money in paypal, in cash if you find someone nearby and many other ways
I strongly recommend as you can be done in 15 minutes and your files will start decrypting
I recommend you look for info online If you don't want to use
If you can't figure mg something send me an email to helpmedecrypt@protomnail com
You have 72 hours form now to send the payment or you will lose all the data so don't wait to send an email if you don't know something.
I hope to hem from you soon.'

The Files are Encrypted with the AES Cipher but Decryption is Possible

The Trojan.Encoder.6491 requires users to leave its main executable running on the system and pay 0.052300 Bitcoins, which equals approximately 33 USD. Experts do not encourage paying the ransom because you do not have a guarantee that a decryption key will be sent to your PC. It is possible to decrypt the files affected by Trojan.Encoder.6491 but it will cost you nearly as much as complying with the terms of the Trojan.Encoder.6491. Computer users may consider buying a commercial license for decryption software designed to unlock data corrupted by the Trojan.Encoder.6491. However, there is a third option—you can use a trusted anti-malware utility to delete the Trojan.Encoder.6491 and use backup images to recover your data for free. Backup images allow users to deal with threats like the Trojan.Encoder.6491 and the Cerber3 Ransomware effortlessly.


Most Viewed