XDocCrypt/Dorifel

[FanJ]

Official computers of three cities (Borsele, Weert and Den Bosch) in The Netherlands have been infected by what seems to be a variant of a Sasfis Trojan.
McAfee has released an extra.dat file that seems to be able to clean and recover infected files.

Links in Dutch:
http://tweakers.net/nieuws/83626/tro...eert-plat.html
https://secure.security.nl/artikel/4...eert_plat.html
http://www.nu.nl/internet/2879849/ne...utervirus.html

[stapp]

Emsisoft have just released a free decryption tool for the Dorifel crypto malware currently paralyzing many systems in the Nertherlands, many of them companies or Government ones.

http://blog.emsisoft.com/

[FanJ]

Thanks stapp !

More about it :

Official Dutch "National Cyber Security Centrum" :
http://www.waarschuwingsdienst.nl/Ri...bestanden.html

Dutch security company Fox-IT:
XDocCrypt/Dorifel – Document encrypting and network spreading virus
http://blog.fox-it.com/2012/08/09/xd...reading-virus/

SurfRight (HitmanPro) :
Dorifel decrypter
http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

This decrypter was created by Fabian Wosar of Emsisoft, thanks to contributions by our researchers Mark and Erik Loman.

Great work Fabian (and Mark and Erik)

[FanJ]

More info also on :
with a list of AV vendors and their detection names for it.
(note that detection is not the same as recovering)

New virus in the running, XDocCrypt/Dorifel
http://www.damnthoseproblems.com/?p=599

[FanJ]

Maybe it is better when posts 14 through 17 are split off of this thread to a new thread called "XDocCrypt/Dorifel". It is no longer only a Dutch problem.
I'll ask the mod team.

[FanJ]

Thanks Ron for splitting this thread off of the other thread.

=====

The initial post about calling it "Sasfis Trojan" was not correct. Sorry about that.

=====

The virus is spreading around in The Netherlands, and is expected to do so more, also because of the holiday time.

The virus was not only seen in The Netherlands. The Fox-IT blog from last night showed the spreading at that moment.

The Fox-IT blog is really interesting.

Michael Sandee (of Fox-IT) posted there also a reply about having received an Hermes banking trojan that at that moment was detected by zero AV's at VirusTotal.

=====

Mark Loman has also posted a reply in the Hitman Pro Support and Discussion Thread.

[FanJ]

The decrypter tool has been updated a few times; currently it is at version 1.3.1 (August 10, 2012).
See the changelog at http://www.surfright.nl/nl/support/dorifel-decrypter
(once again thanks to Fabian Wosar of Emsisoft)


The site of the Official Dutch "National Cyber Security Centrum" has also been updated (but that site is in Dutch):
http://www.waarschuwingsdienst.nl/Ri...bestanden.html


This site has also been updated:
http://www.damnthoseproblems.com/?p=599

[siljaline]

Dorifel is much bigger than expected and it's still active and growing!
• From Kaspersky's secure list

Quote:

Yesterday it was a dark day for many companies in Europe, but especially in the Netherlands. A piece of malware known as Worm.Win32.Dorifel infected over 3000 machines globally, and 90% of infected users were both from public and business sector organizations based in the Netherlands. We have seen government departments and hospitals being victims. The other countries with a large amount of infections were detected in Denmark, the Philippines, Germany, the United States and Spain. All users running Kaspersky Lab’s Products are protected from this threat.

[FanJ]

Thanks siljaline for the Kaspersky link; appreciated!
The Kaspersky blog is mentioning a relationship with ZeuS/Citadel. Other sites/blogs have been telling the same. Maybe too early to tell, but when several researchers are thinking the same, well then...

The Kaspersky blog is telling that KAV detects it, which is of course good! Another thing is however, as I already posted, whether it is also capable of recovering (decrypting) the encrypted Office files. (Well, you could say of course that that is your responsibility to have good backups). The "Damn Those Problems" site is quoting for example Tammy Stewart of GFI (VIPRE).

Maybe it is good that I post the Changelog of the decrypter tool as already mentioned:
http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

Changelog

1.1 (August 9, 2012)

•IMPROVED: decrypter now skips the last 7 0-bytes, because in some rare situations Office complained when opening the rescued document.

1.2 (August 9, 2012)

•ADDED: Support for multiple paths in one call.
•ADDED: Support for file paths.
•ADDED: /all switch to scan all files instead of just *.scr files.
•ADDED: /np switch.

1.3 (August 10, 2012)

•ADDED: The decrypter will now remove an active Dorifel Trojan from the system.
•ADDED: By default, the decryption tool will now decrypt affected .exe files as well.
•ADDED: File name restoration. Files that were renamed by the malware but were not infected are now restored to their original file name too.
•ADDED: /del switch, which deletes the infected files after successful decryption.
•ADDED: Support for 'matroschka'-like infections; i.e. files that are seized multiple times are now also decrypted multiple times for full restoration.
•ADDED: Automatic log creation. The log will be written to the same folder as the decrypter.
•IMPROVED: File name recovery in case the RTLO character was removed manually.
•IMPROVED: The algorithm used to create the decrypted file's name was improved. This also comes in handy when e.g. another cleaner recovered the document but didn’t restore its original filename.
•FIXED: The tool no longer crashes when it encounters a file with a file size of 0 bytes; these files were caused by updated antivirus software preventing infection.

1.3.1 (August 10, 2012)

•IMPROVED: The decrypter will now overwrite existing files when renaming files as well.

The Dutch "National Cyber Security Centrum" is saying that there are now no more coming new infected computers in Holland. We will see; maybe a bit early to tell.
They are also telling that they are getting stories of phonecalls in poor English offering to clean machines (of course asking for big money).

[Dermot7]

Quote:

Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.

http://rickey-g.blogspot.nl/2012/08/...l-servers.html

[siljaline]

From ESET's David Harley • ESET Stand-alone removal tool contained •
Dorifel/Quervar: the support scammer’s secret weapon

[Dermot7]

Mix of Dutch and English languages in this report: http://www.digital-investigation.eu/...-phishing.html

[FanJ]

The decrypter (created by Fabian Wosar of Emsisoft) has been updated.
Changelog:

http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

1.4 (August 13, 2012)

•ADDED: Handling for improperly decrypted files some other cleaners produce.
•IMPROVED: Logic of the /del parameter.

1.4.1 (August 13, 2012)

•IMPROVED: Handling of large files (> 2GB).

[FanJ]

More about SurfRight (HitmanPro) and Emsisoft working together on it:
"Joint Strike Force against Dorifel"
http://hitmanpro.wordpress.com/2012/...ainst-dorifel/

[FanJ]

Update on 14 Aug 2012 from the Dutch "National Cyber Security Centrum" (note that it is in Dutch):
https://www.ncsc.nl/actueel/nieuwsbe...van-zaken.html

[gerardwil]

Detection ratio on VT is now 33/41

[siljaline]

An updated stand -alone removal tool for Win32/Quervar.C, is available here. I would like to thank ESET for adding the tool to the other stand-alone removal utilities. !

[FanJ]

The decrypter (created by Fabian Wosar of Emsisoft) has been updated.
Heads up for what is written for version 1.5.

Changelog:

http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

1.4.2 (August 28, 2012)

•IMPROVED: Detection for certain Excel file format versions.

1.5 (August 29, 2012)

•ADDED: Support for new Dorifel variant that recently appeared in the United States. This new variant uses a different RC4 encryption key and infection marker.

[FanJ]

The decrypter (created by Fabian Wosar of Emsisoft) has been updated.

http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

1.6 (September 3, 2012)

•IMPROVED: Updated the decrypter to handle Excel binary files correctly now.

[gerardwil]

Quote:

Gepubliceerd: Donderdag 27 september 2012
Auteur: Henk-Jan Buist

Dorifel steekt weer de kop op in Nederland. De nieuwe variant is nog veel venijniger, wordt nog niet herkend door virusscanners en installeert de beruchte ZeroAccess rootkit.

Mark Loman van beveiligingsbedrijf SurfRight maakt op Twitter melding van een nieuwe Dorifel-variant die de rootkit ZeroAccess downloadt. Dit botnet wordt door security-experts 'een van de grootste bedreigingen op internet' genoemd. ZeroAccess is vooral in de VS en Europa actief, maar is in Nederland tot nu toe geen grote speler.

google translation:

Quote:

Published: Thursday, September 27, 2012
Author: Henk-Jan Buist

Dorifel sticks its head again in the Netherlands. The new version is much more insidious, is still not recognized by virus scanners and installs the infamous Zero Access rootkit.

Mark Loman of security makes SurfRight on Twitter reported a new variant Dorifel that the rootkit Zero Access downloading. This botnet by security experts, "one of the biggest threats on the Internet," said. Zero Access is mainly in the U.S. and Europe is active, but in the Netherlands so far no major player.

webwereld.nl

[FanJ]

Thanks Gerard.
Several Dutch sites are reporting about it.

=====

The decrypter (mentioned already several times in this thread) has been updated:

http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

1.7 (September 27, 2012)

•ADDED: Support for new Dorifel variant. This latest variant uses a different RC4 encryption key.

1.8 (September 27, 2012)

•ADDED: Support for a fourth Dorifel variant. Again, this latest variant uses a different RC4 encryption key.

[FanJ]

The decrypter has been updated:

http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

1.9 (September 28, 2012)

•ADDED: Support for a fifth Dorifel variant that surfaced in Spain.

[FanJ]

The decrypter has been updated:

http://www.surfright.nl/nl/support/dorifel-decrypter

Quote:

1.9.3 (October 3, 2012)

•ADDED: Support for a two new Dorifel variants.

•ADDED: File type recognition for Adobe PDF, Rich Text Format (RTF) and WordPerfect documents.

•ADDED: /ren switch to rename files with RTLO character that have an unknown infection.

•ADDED: /dmp switch. This parameter will instruct the decrypter to save decrypted files to disk even if the format wasn't recognized. Such files will receive the extension ".unk" (for unknown) so you can easily locate them." You will have to restore the correct file extension manually or use a tool like TrID to restore the file extensions for you. Please note that the parameter "/dmp" cannot be used at the same time as the parameter "/del" for safety reasons.