Re: The Netherlands - what digital country is this Official computers of three cities (Borsele, Weert and Den Bosch) in The Netherlands have been infected by what seems to be a variant of a Sasfis Trojan. McAfee has released an extra.dat file that seems to be able to clean and recover infected files. Links in Dutch: http://tweakers.net/nieuws/83626/trojan-legt-gemeentelijk-netwerk-van-weert-plat.html https://secure.security.nl/artikel/42580/1/Computervirus_legt_gemeente_Weert_plat.html http://www.nu.nl/internet/2879849/netwerk-gemeenten-plat-computervirus.html
Re: The Netherlands - what digital country is this Emsisoft have just released a free decryption tool for the Dorifel crypto malware currently paralyzing many systems in the Nertherlands, many of them companies or Government ones. http://blog.emsisoft.com/
Re: The Netherlands - what digital country is this Thanks stapp ! More about it : Official Dutch "National Cyber Security Centrum" : http://www.waarschuwingsdienst.nl/R...e besmetting infecteert office bestanden.html Dutch security company Fox-IT: XDocCrypt/Dorifel – Document encrypting and network spreading virus http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/ SurfRight (HitmanPro) : Dorifel decrypter http://www.surfright.nl/nl/support/dorifel-decrypter Great work Fabian (and Mark and Erik)
Re: The Netherlands - what digital country is this More info also on : with a list of AV vendors and their detection names for it. (note that detection is not the same as recovering) New virus in the running, XDocCrypt/Dorifel http://www.damnthoseproblems.com/?p=599
Re: The Netherlands - what digital country is this Maybe it is better when posts 14 through 17 are split off of this thread to a new thread called "XDocCrypt/Dorifel". It is no longer only a Dutch problem. I'll ask the mod team.
Thanks Ron for splitting this thread off of the other thread. ===== The initial post about calling it "Sasfis Trojan" was not correct. Sorry about that. ===== The virus is spreading around in The Netherlands, and is expected to do so more, also because of the holiday time. The virus was not only seen in The Netherlands. The Fox-IT blog from last night showed the spreading at that moment. The Fox-IT blog is really interesting. Michael Sandee (of Fox-IT) posted there also a reply about having received an Hermes banking trojan that at that moment was detected by zero AV's at VirusTotal. ===== Mark Loman has also posted a reply in the Hitman Pro Support and Discussion Thread.
The decrypter tool has been updated a few times; currently it is at version 1.3.1 (August 10, 2012). See the changelog at http://www.surfright.nl/nl/support/dorifel-decrypter (once again thanks to Fabian Wosar of Emsisoft) The site of the Official Dutch "National Cyber Security Centrum" has also been updated (but that site is in Dutch): http://www.waarschuwingsdienst.nl/R...e besmetting infecteert office bestanden.html This site has also been updated: http://www.damnthoseproblems.com/?p=599
Dorifel is much bigger than expected and it's still active and growing! • From Kaspersky's secure list
Thanks siljaline for the Kaspersky link; appreciated! The Kaspersky blog is mentioning a relationship with ZeuS/Citadel. Other sites/blogs have been telling the same. Maybe too early to tell, but when several researchers are thinking the same, well then... The Kaspersky blog is telling that KAV detects it, which is of course good! Another thing is however, as I already posted, whether it is also capable of recovering (decrypting) the encrypted Office files. (Well, you could say of course that that is your responsibility to have good backups). The "Damn Those Problems" site is quoting for example Tammy Stewart of GFI (VIPRE). Maybe it is good that I post the Changelog of the decrypter tool as already mentioned: http://www.surfright.nl/nl/support/dorifel-decrypter The Dutch "National Cyber Security Centrum" is saying that there are now no more coming new infected computers in Holland. We will see; maybe a bit early to tell. They are also telling that they are getting stories of phonecalls in poor English offering to clean machines (of course asking for big money).
From ESET's David Harley • ESET Stand-alone removal tool contained • Dorifel/Quervar: the support scammer’s secret weapon
Mix of Dutch and English languages in this report: http://www.digital-investigation.eu...gereed-voor-nederlandse-banking-phishing.html
The decrypter (created by Fabian Wosar of Emsisoft) has been updated. Changelog: http://www.surfright.nl/nl/support/dorifel-decrypter
More about SurfRight (HitmanPro) and Emsisoft working together on it: "Joint Strike Force against Dorifel" http://hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/
Update on 14 Aug 2012 from the Dutch "National Cyber Security Centrum" (note that it is in Dutch): https://www.ncsc.nl/actueel/nieuwsberichten/dorifel-virus-de-stand-van-zaken.html
An updated stand -alone removal tool for Win32/Quervar.C, is available here. I would like to thank ESET for adding the tool to the other stand-alone removal utilities. !
The decrypter (created by Fabian Wosar of Emsisoft) has been updated. Heads up for what is written for version 1.5. Changelog: http://www.surfright.nl/nl/support/dorifel-decrypter
The decrypter (created by Fabian Wosar of Emsisoft) has been updated. http://www.surfright.nl/nl/support/dorifel-decrypter
Thanks Gerard. Several Dutch sites are reporting about it. ===== The decrypter (mentioned already several times in this thread) has been updated: http://www.surfright.nl/nl/support/dorifel-decrypter