Trojan:W32/BandarChor

Classification

Malware

Trojan

W32

BandarChor, Trojan:W32/BandarChor.A, Trojan:W32/BandarChor.B

Summary

Trojan:W32/BandarChor is ransomware that steals control of the user's machine or data, then demands a payment from the user to restore normal access to the ransomed content or system.

Removal

Automatic action

Once detected, the F-Secure security program will automatically disinfect the suspect file by either deleting it or renaming it.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The BandarChor ransomware is reportedly distributed via email and exploit kits. On execution, the malware drops a copy of itself and the ransom notification image (below) into the Startup directory.

Screenshot of BandarChor ransom message

It then attempts to encrypt various file types (DOC, XLS, JPG and so on) and rename them using the formula [filename].id-[ID]_fud@india.com. The affected machine's computer name and ID are then reported to a remote location.

For more information, please see: