Dorifel decrypter

Introduction | Download decrypter | Usage | Changelog | Quick Guide for Network Admins | Second Opinion | More Info

Introduction

In the beginning of August 2012, Dutch government, public sector and networks of private companies are hit hard by a new wave of crypto malware named Trojan-Ransom.Win32.Dorifel. Our research revealed that this Trojan entered the networks thanks to a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one of the computers inside the network.
Update: On August 28, 2012 we received the first report of a new variant of this Trojan, that now appeared in the United States.

This Dorifel Trojan scans network shares and local (USB) connected drives for executables and Microsoft Office documents. To be precise .doc and .docx (Word documents), .xls and .xlsx (Excel documents) and programs with the .exe file extension. Encountered documents and programs are seized and replaced with a new executable file that has the .scr file extension. This executable file contains an RC4 encrypted version of the seized document or program. The Trojan adds a familiar icon to the file and changes the filename of the document, abusing the RTLO 'vulnerability' (right-to-left-override) to make computer users belief the 'document' has the correct file extension.


Figure: Notice the differences (icon, filename) between a Word Document and a document affected by Dorifel.

So currently, most affected users will not notice anything since the 'documents' open as usual. In its current state the malware is likely all about propagating itself to as many machines as possible. But since the Trojan checks for an online update every half an hour or so, the attacker could later deploy more ruthless malware.

Download decrypter

Our HitmanPro software is rescueing infected systems since August 7. HitmanPro will detect and remove both the Dorifel as well as the Citadel Trojan. But HitmanPro does not recover the seized documents which is why you need the following FREE standalone decrypter to recover your documents:

http://dl.surfright.nl/decrypt_dorifel.exe

or

http://tmp.emsisoft.com/fw/decrypt_dorifel.zip

This decrypter was created by Fabian Wosar of Emsisoft, thanks to contributions from our researchers Mark and Erik Loman.

Usage

	decrypt_dorifel.exe <paths to decrypt> [/all]

	/all - Scan all files and not only files ending in *.scr
	/np  - Does not pause once the tool finished
	/del - Delete infected files after successful decryption (can't be used with /dmp)
	/ren - Rename files with RTLO marker but no known infection
	/dmp - Dump decrypted files even if file format could not be recognized (can't be used with /del)
	/?   - This help
	

When no path is specified, the Windows installation drive is being scanned.
Paths can be a folder, drive, UNC or file paths.
Specifying multiple paths in one command line is supported.

        C:\>decrypt_dorifel.exe Z:\docs
    

Output examples:

	Trojan-Ransom.Win32.Dorifel decrypter v1.9.3 - Use at your own risk!
	Written by Fabian Wosar - Emsisoft GmbH - http://www.emsisoft.com
	Contributions by Mark & Erik Loman - SurfRight B.V. - http://www.hitmanpro.com

        Looking for active infection ...
        An active infection was found in directory C:\Documents and Settings\User\Application Data\S4428M\!
        Malware process C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe killed successfully!
        Infection cleaned successfully!

        Original File: Z:\docs\Offerte?cod.scr
        Decrypted File: Z:\docs\Offerte.doc
        Status: Success!

        Original File: Z:\docs\Calculatie?sxl.scr
        Decrypted File: Z:\docs\Calculatie.xls
        Status: Success!
    

The tool automatically skips any files that are not related to the Dorifel infection.

        Original File: C:\Program Files (x86)\DisplayFusion\DFSSaver.scr
        Status: Infection marker is missing. Skipped.
        
        Original File: C:\Users\Mark\Desktop\Archive.rar
        Status: File is not infected. Skipped.
    

Quick Guide for Network Admins

1. First make sure the shared folders are temporarily not accessible by clients on your network.
   (e.g. by disconnecting the file server from the network)
2. Create a folder named System Volume Information in the root of each share. This will prevent re-infection of the documents in your shares when infected clients are reconnecting.
3. Update the antivirus program on the server. Make sure it has the latest signatures.
   This might also be a good time to check for any missing security updates (run or visit Windows Update).
4. Run our Trojan-Ransom.Win32.Dorifel decrypter on the server to rescue the affected documents.
5. Search for and move (or delete) all files that have the file extension .scr from the server.
6. Reconnect the server.
7. Scan your clients with a second opinion antivirus scanner to catch the Citadel Trojan that installed the Dorifel on your machines.

Also, if possible, monitor or block traffic to the following IP addresses and domains in the firewall on the perimeter of your network:

• ipo90.com
• 1nlreality.sk
• avtoclub.eu
• vnk.sk
• zalil.ru
• yerty90.com
• 91.220.35.61
• oianowifna.ru
• greatnewidea1.ru
• greatnewidea12.ru
• www.organizasyonservisi.com
• unionfilesexchnges.su

Older addresses:

• 184.82.162.163
• 184.22.103.202
• 184.82.107.86
• 158.255.211.28
• 149.154.154.47
• 184.82.107.87
• 184.82.116.202
• 184.22.246.252
• windows-update-server.com
• wesaf341.org
• xertgfd.ru

Second Opinion

The Dorifel Trojan entered the network because it was likely downloaded by other malware already present on one of the computers in the network. If you are affected we advise you to run a second opinion scan in your network to find the infected computers. You can use our HitmanPro or Emsisoft Emergency Kit for this task.

Instructions on how to perform FREE second opinion malware scans with HitmanPro can be found in the following document:

Command-Line Reference for Network Managers (PDF)

This documents contains example scripts on how to integrate HitmanPro into a Windows 2003, 2008 and/or LabTech managed environment.

Changelog

1.1 (August 9, 2012)

• IMPROVED: decrypter now skips the last 7 0-bytes, because in some rare situations Office complained when opening the rescued document.

1.2 (August 9, 2012)

• ADDED: Support for multiple paths in one call.
• ADDED: Support for file paths.
• ADDED: /all switch to scan all files instead of just *.scr files.
• ADDED: /np switch.

1.3 (August 10, 2012)

• ADDED: The decrypter will now remove an active Dorifel Trojan from the system.
• ADDED: By default, the decryption tool will now decrypt affected .exe files as well.
• ADDED: File name restoration. Files that were renamed by the malware but were not infected are now restored to their original file name too.
• ADDED: /del switch, which deletes the infected files after successful decryption.
• ADDED: Support for 'matroschka'-like infections; i.e. files that are seized multiple times are now also decrypted multiple times for full restoration.
• ADDED: Automatic log creation. The log will be written to the same folder as the decrypter.
• IMPROVED: File name recovery in case the RTLO character was removed manually.
• IMPROVED: The algorithm used to create the decrypted file's name was improved. This also comes in handy when e.g. another cleaner recovered the document but didn’t restore its original filename.
• FIXED: The tool no longer crashes when it encounters a file with a file size of 0 bytes; these files were caused by updated antivirus software preventing infection.

1.3.1 (August 10, 2012)

• IMPROVED: The decrypter will now overwrite existing files when renaming files as well.

1.4 (August 13, 2012)

• ADDED: Handling for improperly decrypted files some other cleaners produce.
• IMPROVED: Logic of the /del parameter.

1.4.1 (August 13, 2012)

• IMPROVED: Handling of large files (> 2GB).

1.4.2 (August 28, 2012)

• IMPROVED: Detection for certain Excel file format versions.

1.5 (August 29, 2012)

• ADDED: Support for new Dorifel variant that recently appeared in the United States. This new variant uses a different RC4 encryption key and infection marker.

1.6 (September 3, 2012)

• IMPROVED: Updated the decrypter to handle Excel binary files correctly now.

1.7 (September 27, 2012)

• ADDED: Support for new Dorifel variant. This latest variant uses a different RC4 encryption key.

1.8 (September 27, 2012)

• ADDED: Support for a fourth Dorifel variant. Again, this latest variant uses a different RC4 encryption key.

1.9 (September 28, 2012)

• ADDED: Support for a fifth Dorifel variant that surfaced in Spain.

1.9.3 (October 3, 2012)

• ADDED: Support for a two new Dorifel variants.
• ADDED: File type recognition for Adobe PDF, Rich Text Format (RTF) and WordPerfect documents.
• ADDED: /ren switch to rename files with RTLO character that have an unknown infection.
• ADDED: /dmp switch. This parameter will instruct the decrypter to save decrypted files to disk even if the format wasn't recognized. Such files will receive the extension ".unk" (for unknown) so you can easily locate them." You will have to restore the correct file extension manually or use a tool like TrID to restore the file extensions for you. Please note that the parameter "/dmp" cannot be used at the same time as the parameter "/del" for safety reasons.

If you need help on how to use the decrypter, please contact dorifel@hitmanpro.com

More Information

• Emsisoft - Dorifel crypto malware paralyzes Dutch companies and public sector
• Fox-IT - XDocCrypt/Dorifel – Document encrypting and network spreading virus

Dutch:

• NCSC - Malware besmetting infecteert office bestanden
• NU.nl - Netwerk gemeenten plat door computervirus
• NU.nl - Ruim 20 instellingen getroffen door virus Sasfis
• Tweakers.net - Nederlandse organisaties getroffen door onbekend virus
• Security.nl - Excel verminkende malware teistert Nederlandse bedrijven

Published: August 9, 2012. Updated: October 3, 2012 (21:00 CEST). Mark Loman and Fabian Wosar.