In the beginning of August 2012, Dutch government, public sector and networks of private companies are hit hard by a new wave of crypto malware named Trojan-Ransom.Win32.Dorifel.
Our research revealed that this Trojan entered the networks thanks to a variant of the Zeus/Zbot banking Trojan called Citadel.
This means that this Trojan was already present on one of the computers inside the network.
Update: On August 28, 2012 we received the first report of a new variant of this Trojan, that now appeared in the United States.
This Dorifel Trojan scans network shares and local (USB) connected drives for executables and Microsoft Office documents. To be precise .doc and .docx (Word documents), .xls and .xlsx (Excel documents) and programs with the .exe file extension. Encountered documents and programs are seized and replaced with a new executable file that has the .scr file extension. This executable file contains an RC4 encrypted version of the seized document or program. The Trojan adds a familiar icon to the file and changes the filename of the document, abusing the RTLO 'vulnerability' (right-to-left-override) to make computer users belief the 'document' has the correct file extension.
Figure: Notice the differences (icon, filename) between a Word Document and a document affected by Dorifel.
So currently, most affected users will not notice anything since the 'documents' open as usual. In its current state the malware is likely all about propagating itself to as many machines as possible. But since the Trojan checks for an online update every half an hour or so, the attacker could later deploy more ruthless malware.
Our HitmanPro software is rescueing infected systems since August 7.
HitmanPro will detect and remove both the Dorifel as well as the Citadel Trojan.
But HitmanPro does not recover the seized documents which is why you need the following FREE standalone decrypter to recover your documents:
decrypt_dorifel.exe <paths to decrypt> [/all] /all - Scan all files and not only files ending in *.scr /np - Does not pause once the tool finished /del - Delete infected files after successful decryption (can't be used with /dmp) /ren - Rename files with RTLO marker but no known infection /dmp - Dump decrypted files even if file format could not be recognized (can't be used with /del) /? - This help
When no path is specified, the Windows installation drive is being scanned.
Paths can be a folder, drive, UNC or file paths.
Specifying multiple paths in one command line is supported.
Trojan-Ransom.Win32.Dorifel decrypter v1.9.3 - Use at your own risk! Written by Fabian Wosar - Emsisoft GmbH - http://www.emsisoft.com Contributions by Mark & Erik Loman - SurfRight B.V. - http://www.hitmanpro.com Looking for active infection ... An active infection was found in directory C:\Documents and Settings\User\Application Data\S4428M\! Malware process C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe killed successfully! Infection cleaned successfully! Original File: Z:\docs\Offerte?cod.scr Decrypted File: Z:\docs\Offerte.doc Status: Success! Original File: Z:\docs\Calculatie?sxl.scr Decrypted File: Z:\docs\Calculatie.xls Status: Success!
The tool automatically skips any files that are not related to the Dorifel infection.
Original File: C:\Program Files (x86)\DisplayFusion\DFSSaver.scr Status: Infection marker is missing. Skipped. Original File: C:\Users\Mark\Desktop\Archive.rar Status: File is not infected. Skipped.
Also, if possible, monitor or block traffic to the following IP addresses and domains in the firewall on the perimeter of your network:
The Dorifel Trojan entered the network because it was likely downloaded by other malware already present on one of the computers in the network.
If you are affected we advise you to run a second opinion scan in your network to find the infected computers.
You can use our HitmanPro or Emsisoft Emergency Kit for this task.
Instructions on how to perform FREE second opinion malware scans with HitmanPro can be found in the following document:
This documents contains example scripts on how to integrate HitmanPro into a Windows 2003, 2008 and/or LabTech managed environment.
1.1 (August 9, 2012)
1.2 (August 9, 2012)
1.3 (August 10, 2012)
1.3.1 (August 10, 2012)
1.4 (August 13, 2012)
1.4.1 (August 13, 2012)
1.4.2 (August 28, 2012)
1.5 (August 29, 2012)
1.6 (September 3, 2012)
1.7 (September 27, 2012)
1.8 (September 27, 2012)
1.9 (September 28, 2012)
1.9.3 (October 3, 2012)
If you need help on how to use the decrypter, please contact firstname.lastname@example.org
Published: August 9, 2012. Updated: October 3, 2012 (21:00 CEST). Mark Loman and Fabian Wosar.