XDocCrypt/Dorifel

Discussion in 'malware problems & news' started by FanJ, Aug 8, 2012.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: The Netherlands - what digital country is this

    Official computers of three cities (Borsele, Weert and Den Bosch) in The Netherlands have been infected by what seems to be a variant of a Sasfis Trojan.
    McAfee has released an extra.dat file that seems to be able to clean and recover infected files.

    Links in Dutch:
    http://tweakers.net/nieuws/83626/trojan-legt-gemeentelijk-netwerk-van-weert-plat.html
    https://secure.security.nl/artikel/42580/1/Computervirus_legt_gemeente_Weert_plat.html
    http://www.nu.nl/internet/2879849/netwerk-gemeenten-plat-computervirus.html
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,280
    Location:
    England
    Re: The Netherlands - what digital country is this

    Emsisoft have just released a free decryption tool for the Dorifel crypto malware currently paralyzing many systems in the Nertherlands, many of them companies or Government ones.

    http://blog.emsisoft.com/
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: The Netherlands - what digital country is this

    Thanks stapp !

    More about it :

    Official Dutch "National Cyber Security Centrum" :
    http://www.waarschuwingsdienst.nl/R...e besmetting infecteert office bestanden.html

    Dutch security company Fox-IT:
    XDocCrypt/Dorifel – Document encrypting and network spreading virus
    http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/

    SurfRight (HitmanPro) :
    Dorifel decrypter
    http://www.surfright.nl/nl/support/dorifel-decrypter

    Great work Fabian (and Mark and Erik) :thumb:
     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: The Netherlands - what digital country is this

    More info also on :
    with a list of AV vendors and their detection names for it.
    (note that detection is not the same as recovering)

    New virus in the running, XDocCrypt/Dorifel
    http://www.damnthoseproblems.com/?p=599
     
  5. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: The Netherlands - what digital country is this

    Maybe it is better when posts 14 through 17 are split off of this thread to a new thread called "XDocCrypt/Dorifel". It is no longer only a Dutch problem.
    I'll ask the mod team.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks Ron for splitting this thread off of the other thread.

    =====

    The initial post about calling it "Sasfis Trojan" was not correct. Sorry about that.

    =====

    The virus is spreading around in The Netherlands, and is expected to do so more, also because of the holiday time.

    The virus was not only seen in The Netherlands. The Fox-IT blog from last night showed the spreading at that moment.

    The Fox-IT blog is really interesting.

    Michael Sandee (of Fox-IT) posted there also a reply about having received an Hermes banking trojan that at that moment was detected by zero AV's at VirusTotal.

    =====

    Mark Loman has also posted a reply in the Hitman Pro Support and Discussion Thread.
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Dorifel is much bigger than expected and it's still active and growing!
    • From Kaspersky's secure list
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks siljaline for the Kaspersky link; appreciated!
    The Kaspersky blog is mentioning a relationship with ZeuS/Citadel. Other sites/blogs have been telling the same. Maybe too early to tell, but when several researchers are thinking the same, well then...

    The Kaspersky blog is telling that KAV detects it, which is of course good! Another thing is however, as I already posted, whether it is also capable of recovering (decrypting) the encrypted Office files. (Well, you could say of course that that is your responsibility to have good backups). The "Damn Those Problems" site is quoting for example Tammy Stewart of GFI (VIPRE).

    Maybe it is good that I post the Changelog of the decrypter tool as already mentioned:
    http://www.surfright.nl/nl/support/dorifel-decrypter

    The Dutch "National Cyber Security Centrum" is saying that there are now no more coming new infected computers in Holland. We will see; maybe a bit early to tell.
    They are also telling that they are getting stories of phonecalls in poor English offering to clean machines (of course asking for big money).
     
  10. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Aug 11, 2012
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The decrypter (created by Fabian Wosar of Emsisoft) has been updated.
    Changelog:

    http://www.surfright.nl/nl/support/dorifel-decrypter

     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  16. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Detection ratio on VT is now 33/41
     
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    An updated stand -alone removal tool for Win32/Quervar.C, is available here. I would like to thank ESET for adding the tool to the other stand-alone removal utilities. !
     
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The decrypter (created by Fabian Wosar of Emsisoft) has been updated.
    Heads up for what is written for version 1.5.

    Changelog:

    http://www.surfright.nl/nl/support/dorifel-decrypter

     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  20. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    google translation:

    webwereld.nl
     
  21. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks Gerard.
    Several Dutch sites are reporting about it.

    =====

    The decrypter (mentioned already several times in this thread) has been updated:

    http://www.surfright.nl/nl/support/dorifel-decrypter

     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  23. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The decrypter has been updated:

    http://www.surfright.nl/nl/support/dorifel-decrypter

     
Thread Status:
Not open for further replies.