Dorifel decrypter

Introduction | Download decrypter | Usage | Changelog | Quick Guide for Network Admins | Second Opinion | More Info


In the beginning of August 2012, Dutch government, public sector and networks of private companies are hit hard by a new wave of crypto malware named Trojan-Ransom.Win32.Dorifel. Our research revealed that this Trojan entered the networks thanks to a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one of the computers inside the network.
Update: On August 28, 2012 we received the first report of a new variant of this Trojan, that now appeared in the United States.

This Dorifel Trojan scans network shares and local (USB) connected drives for executables and Microsoft Office documents. To be precise .doc and .docx (Word documents), .xls and .xlsx (Excel documents) and programs with the .exe file extension. Encountered documents and programs are seized and replaced with a new executable file that has the .scr file extension. This executable file contains an RC4 encrypted version of the seized document or program. The Trojan adds a familiar icon to the file and changes the filename of the document, abusing the RTLO 'vulnerability' (right-to-left-override) to make computer users belief the 'document' has the correct file extension.

Figure: Notice the differences (icon, filename) between a Word Document and a document affected by Dorifel.

So currently, most affected users will not notice anything since the 'documents' open as usual. In its current state the malware is likely all about propagating itself to as many machines as possible. But since the Trojan checks for an online update every half an hour or so, the attacker could later deploy more ruthless malware.

Download decrypter

Our HitmanPro software is rescueing infected systems since August 7. HitmanPro will detect and remove both the Dorifel as well as the Citadel Trojan. But HitmanPro does not recover the seized documents which is why you need the following FREE standalone decrypter to recover your documents:


This decrypter was created by Fabian Wosar of Emsisoft, thanks to contributions from our researchers Mark and Erik Loman.


	decrypt_dorifel.exe <paths to decrypt> [/all]

	/all - Scan all files and not only files ending in *.scr
	/np  - Does not pause once the tool finished
	/del - Delete infected files after successful decryption (can't be used with /dmp)
	/ren - Rename files with RTLO marker but no known infection
	/dmp - Dump decrypted files even if file format could not be recognized (can't be used with /del)
	/?   - This help

When no path is specified, the Windows installation drive is being scanned.
Paths can be a folder, drive, UNC or file paths.
Specifying multiple paths in one command line is supported.

        C:\>decrypt_dorifel.exe Z:\docs

Output examples:

	Trojan-Ransom.Win32.Dorifel decrypter v1.9.3 - Use at your own risk!
	Written by Fabian Wosar - Emsisoft GmbH -
	Contributions by Mark & Erik Loman - SurfRight B.V. -

        Looking for active infection ...
        An active infection was found in directory C:\Documents and Settings\User\Application Data\S4428M\!
        Malware process C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe killed successfully!
        Infection cleaned successfully!

        Original File: Z:\docs\Offerte?cod.scr
        Decrypted File: Z:\docs\Offerte.doc
        Status: Success!

        Original File: Z:\docs\Calculatie?sxl.scr
        Decrypted File: Z:\docs\Calculatie.xls
        Status: Success!

The tool automatically skips any files that are not related to the Dorifel infection.

        Original File: C:\Program Files (x86)\DisplayFusion\DFSSaver.scr
        Status: Infection marker is missing. Skipped.
        Original File: C:\Users\Mark\Desktop\Archive.rar
        Status: File is not infected. Skipped.

Quick Guide for Network Admins

  1. First make sure the shared folders are temporarily not accessible by clients on your network.
    (e.g. by disconnecting the file server from the network)
  2. Create a folder named System Volume Information in the root of each share. This will prevent re-infection of the documents in your shares when infected clients are reconnecting.
  3. Update the antivirus program on the server. Make sure it has the latest signatures.
    This might also be a good time to check for any missing security updates (run or visit Windows Update).
  4. Run our Trojan-Ransom.Win32.Dorifel decrypter on the server to rescue the affected documents.
  5. Search for and move (or delete) all files that have the file extension .scr from the server.
  6. Reconnect the server.
  7. Scan your clients with a second opinion antivirus scanner to catch the Citadel Trojan that installed the Dorifel on your machines.

Also, if possible, monitor or block traffic to the following IP addresses and domains in the firewall on the perimeter of your network:

Older addresses:

Second Opinion

The Dorifel Trojan entered the network because it was likely downloaded by other malware already present on one of the computers in the network. If you are affected we advise you to run a second opinion scan in your network to find the infected computers. You can use our HitmanPro or Emsisoft Emergency Kit for this task.

Instructions on how to perform FREE second opinion malware scans with HitmanPro can be found in the following document:

Command-Line Reference for Network Managers (PDF)

This documents contains example scripts on how to integrate HitmanPro into a Windows 2003, 2008 and/or LabTech managed environment.


1.1 (August 9, 2012)

1.2 (August 9, 2012)

1.3 (August 10, 2012)

1.3.1 (August 10, 2012)

1.4 (August 13, 2012)

1.4.1 (August 13, 2012)

1.4.2 (August 28, 2012)

1.5 (August 29, 2012)

1.6 (September 3, 2012)

1.7 (September 27, 2012)

1.8 (September 27, 2012)

1.9 (September 28, 2012)

1.9.3 (October 3, 2012)

If you need help on how to use the decrypter, please contact

More Information


Published: August 9, 2012. Updated: October 3, 2012 (21:00 CEST). Mark Loman and Fabian Wosar.

© SurfRight 2015  |  Disclaimer  |  Sitemap