Damn Those Problems

New virus in the running, XDocCrypt/Dorifel

There is a new virus, dubbed XDocCrypt/Dorifel by the NCSC, wreaking havoc at this very moment. And now it seems it’s downloading a new banking trojan… Read about it below.

I think about all major anti-virus product vendors have released new definitions that can find and destroy this malware. Microsoft Office Documents infected are decrypted and safe* once again!

* Depends on the released definition and vendor, not all vendors support decryption. If not, check post below for a decrypt tool.


Update 11:20 (GMT+1) We’ve uploaded the possible malware to www.virustotal.com and it seems a few vendors can detect it now. The website states the definitions are coming out as we speak. They are awake and we have lift-off…

Update 12:20 (GMT+1) According to DrWeb the virus is called “Trojan.MulDrop3.62656”. Getting closer to clean systems…

Update 13:30 (GMT+1) McAfee said on the telephone that they are getting a lot of phone calls about this malware. They are working on it right now and probably have a updated DAT file within the next 2-6 hours. I really hope do do have it fast, but of course there are no guaranties whatsoever!

Update 14:30 (GMT+1) According to McAfee there are two location the virus places itself (thus not the changed .doc and .xls files). These are:

  • C:\Documents and Settings\xxxxxx\Application Data\xxxxx\xxxx.exe
  • C:\Users\xxxxxx\AppData\Roaming\xxxxx\xxxxxx.exe

This tool from McAfee scans the system and can find these files. Download here. Do use it with caution because it flags a lot of false-positives because it’s a zero-day tool.

Update 16:45 (GMT+1) Angelo (in the comment below) revealed a trick via Windows Group Policies to possibly block the malware .exe files from executing.

Quote: “It’s possible to block the executable (virus) files from starting with the Group Policy. Go to Windows Settings > Security Settings > Software Restrictions Policies > Additional Rules > New Hash Rule and browse to one of the executables. This is tested with multiple virus files.”

Try it in a isolated environment (as much as possible anyway) and drop a line below with your findings!


HermeS, in the comments, noted that: “It seems that the file hash is only the same on the local computer. On a different computer it hash a diferent hash.”


Update 18:05 (GMT+1) An excellent find by Frank from Fox-IT:

Seems the virus is downloaded while the infected client was already part of a Citadel (Zeus variant) botnet.

The source tries to download hxxp:// (editor’s note: replace the x’s)

Blocking access to that IP in your firewall will prevent infected clients already infected with the Citadel malware from downloading the new virus for now.

Editor edit 12:25 (GMT+1): Another IP is detected by Fox-IT:, block this one as well!

You might be able to see what clients downloaded the malicious executable from your proxy logs, they are most likely infected with the virus.

Update 09:10 (GMT+1) Surfright has released a tool that decrypts files encrypted by the malware. Click here to go to their site. Please note that this tool does NOT remove the virus/trojan itself! (Thanks to Mark from Surfright in the comments.)

Update 21:00 (GMT+1) The Dutch tech-news site Tweakers.net reports, in an interview with a spokesperson from the NCSC, that it looks like this is an attack with ties to the criminal world.


Update 09:15 (GMT+1) Anti-virus product vendors that are detecting the malware at this moment. This list is updated when I get information of their updated definitions.

List now in alphabetical order for easy searching.

  • AhnLab-V3 (Dropper/Win32.Dorifel)
  • AntiVir (TR/Rogue.kdv.691754.7)
  • Avast (Win32:Trojan-gen)
  • AVG (SHeur4.ALGO)
  • BitDefender (Trojan.Generic.KDV.691754)
  • ByteHero (Trojan-Downloader.Win32.DlfBfkg.ln)
  • DrWeb (Trojan.MulDrop3.62566)
  • Emsisoft (Trojan-Dropper.Win32.Dorifel!IK)
  • ESET-NOD32 (Win32/Delf.NBG)
  • Fortinet (W32/Delf.NBG)
  • F-Secure (Trojan.Generic.KDV.691754)
  • GData (Trojan.Generic.KDV.691754)
  • GFI Vipre (Works for removal and cleaning, but renames .docx and .xlsx to .doc and .xls. They are working on that issue. Reported by Arno Rommens in the comment below.)
  • Ikarus (Trojan.SuspectCRC)
  • Kaspersky (reported by Johan below in the comments NOT to work, but is updated 09-aug-2012 so try again!!) (Trojan-Dropper.Win32.Dorifel.hau)
  • McAfee (W32/XDocCrypt.a) (new definition updates are out, try to autoupdate!)
    • (released an extra.dat; download here (right-click and download!), follow these instructions for VSE and EPO) (Please note that this extra.dat isn’t released publicly yet!)
  • Microsoft (Virus:Win32/Quervar.B)
  • Norman (W32/BadBreak.A)
  • nProtect (Trojan.Generic.KDV.691754)
  • PCTools (Trojan.Exprez)
  • Sophos (Mal/Behav-104)
  • Symantec (Backdoor.Trojan)
  • TrendMicro (PE_QUERVAR.B) (as of 6:29 PM PST, they clean infected Office documents as well.)
  • TrendMicro-Housecall (TROJ_GEN.R47H1H8)
  • VIPRE (Backdoor.Generic (fs))
  • ViRobot (Backdoor.A.Dorifel.173080.A)

Update 11:00 (GMT+1) A lot of sources now tell us that .exe files are being infected as well. It was reported before, but it now is confirmed as well. Besides this news, it now becomes clearer that this XDocCrypt/Dorifel malware has been delivered by a already present banking trojan called Citadel from the Zeus/Zbot botnet. Some even say this virus is dropped off so the creators can brag about their invisibility. Is this a new hacker war? If so, interesting times ahead…

As a side-note, Fox-IT has a good technical information blog about this attack, here.

Update 12:40 (GMT+1) It seems (Dutch) the malware is now downloading a new banking trojan in addition to the one that encrypts the Office documents. This one, called Hermes, is said to be undetectable at the moment by all major anti-virus vendors. This malware is supposed to gather information about banking and even got code for DDoS attacks and Remote Shell access. This one seems even worse but luckily everyone is on their toes at the moment.


Update 13:10 (GMT+1) Digital Investigations discovered (Dutch) disturbing new facts about this malware! They have picked apart the malware and discovered that the the goal is to distribute phishing banking websites for the ING bank, ABN AMRO & the SNS bank.

As per above discovery it is imperative that IP address and the DNS host “bank-auth.org” are blocked!

Also there are rumors going around that this virus is temporarily terminating itself when someone tries to view all active processes. This, however, is unverified.


Update 14:05 (GMT+1) Add IP address to the list! Digital Investigations has seen even more horrific data as they go on. 549 Bank accounts from Dutch citizens have been compromised and this data has been shared with their respective banks. It seems this attack is far from over, but the Dutch digital specialists are all over it.


Update 09:30 (GMT+1) No real update at the moment. Kaspersky has an informational blog post about the scamware and numbers of infected computers in different countries. Most websites report that the virus is halted. Since there is no news about Hermes or other new malware that is probably distributed it looks a bit calm at the moment. The question now is, is it the calm before the storm or is the malware dying slowly?

Update 13:10 (GMT+1) I just found out McAfee updated it’s free malware scanner: Stinger to include XdocCrypt/Dorifel! Download here. This is a very easy-to-use Windows application that scans the C-drive, memory, registry etc. for the most annoying and common malware. To use it, download the application, run it and press ‘Scan Now’. What could be simpler? If you have USB drives I recommend you add those drive letters via the ‘Add’ button when plugged in.

Update 15:55 (GMT+1) You can’t trust anyone these days anymore… Scammers are calling companies and others institutions saying they are from Microsoft’s helpdesk calling to help with the virus. They ask if you would like to buy overpriced anti-virus software and even dare to ask for credit card data. Well, if you didn’t thought of this already: DON’T DO THIS.


A company, who provides IT services to another company, received at first a few calls from concerned users who couldn't start their Microsoft Office Word and Excel documents anymore. The company called different anti-virus vendors and they all said there are a lot of calls coming in with the detailed as described below, but they don’t have a solution yet!

As of 8-8-2012 (08 august 2012) reports are coming in that a unknown Belgium hospital is gone digitally dark due to this virus. (unverified source)

As of 9-8-2012 (09 august 2012) the Dutch news website nu.nl reported here that the cities of Borsele, Weert, Venlo and Den Bosch are hit by the virus. This, of course, excludes all companies and other government organizations that do publicly state they are hit. Added victims are: Venlo, Tilburg & Almere. This malware seems to be spreading faster then updated definitions are given out…

Other (Dutch) news sites report even much, much more victims of this virus. Now the cities of Tilburg, Almere, Nieuwegein & Buren are infected. Even the province of Noord-Holland, powergrid manager Westland Infra and even the National Institute for Public Health and the Environment (RIVM) are hit.

And as of 10-8-2012 (10 august 2012) the Dutch new site nos.nl writes that even the Dutch government OCW (Dutch ministry of Education, Culture and Science) is hit. Luckily a lot of anti-virus vendors already have new definitions and they got the outbreak under control in no time. They are still working, however, on cleaning the infected files.

After checking and double checking the files it seemed to be .scr files. The thing is Windows let you see filenamercs.doc files. When viewed through a DOS box it’s name really is filename?cod.scr. Long story short, the real extension and the fake one are displayed in reverse. This is known as the RTLO unicode hole. What this hole does is using a Windows standard unicode “right-to-left override” which is used in Arabic and Hebrew texts.

We call this hole not a bug, but a feature Winking smile.


This malware is dubbed XDocCrypt/Dorifel by the Dutch, National Cyber Security Centrum (NCSC). Click here (Dutch) for their article about this malware. Click here for English information about NCSC.

The goal of the malware may be to blackmail companies and cities to release the encrypted (read: hijacked) Microsoft Office documents. So far there aren’t known examples of actual blackmail going on.

It shares similarities with known malware (trojans to be exact) called:

Almost all major anti-virus vendors can detect this malware now and most of them (unverified) can clean the encrypted Microsoft Office documents as well. Unfortunally a small number of computers seems to have gotten a new banking trojan called Hermes. And this one can’t be detected yet either… What is the digital world coming to?

As always, more information will be added when I get it. See the updated header!

Reacties (130) Trackbacks (0)
  1. It’s hard to find experienced people ɑbout thiѕ subject, һowever, yοu ѕeem likе you knoѡ whhat you’rе talking aƄout!

  2. That explains why, when I checked the properties of the virusbinary in C:users[username]appdataroamingIqzya, it said ‘FlexHexEditor’ in its description.

  3. Two day’s ago a new customer came to our company for advice, that they had XDocCrypt/Dorifel virus on there system,
    it was removed buy the current ict guy, but the word and excel files where gone.. they guy could not locate or find them.

    So i went to the office for investigation. The company had Symantec Endpoint Proctection 12 on there server, and on all 6 workstations.
    Did some scan’s and all virusses where gone. I went searching trough the log and came to the conclusion that Symantec Deleted 6000+ .DOC and .XLS files.
    Symantec Endpoint Protection Client was configured for Primary Action “Clean infecton” Secondairy action was, “Quarantine File”.

    From the log file: ..
    Virus found,server,Auto-Protect scan,Backdoor.Trojan,1,E:DIRLOCATIONMy DocumentsWORDFILENAME?cod.doc?cod?cod?cod?cod?cod?cod?cod?cod.scr,””,Cleaned by deletion,Cleaned,Quarantined,10-08-2012 01:59:39,10-08-2012 04:01:24,,REMOVEDUSERNAME,REMOVEDHOSTNAME,10-08-2012 04:01:24,Default,REMOVEDUSERNAME,REMOVEDHOSTNAME,10-08-2012 04:01:24,REMOVEDUSERNAME,My CompanyServers,,,10-08-2012 01:59:39,10-08-2012 04:01:24,0
    and then about 6000times..

    Asked the company for file backup.. There was no backup…

    So time for data recoverd. Bought a other driver, started the data recovery from the disk.
    All files returned to the other harddriver, but 99% of the files war currupted and not readable.
    That one procent that came back, where detected by the Symantec Endpoint Protection
    Virus found,server,Auto-Protect scan,Trojan.Exprez.B,1,F:RECOVERYLOCATIONMy DocumentsWORDFILENAME?cod?cod?doc?cod?cod?cod.scr,””,Quarantined,Cleaned,Quarantined,22-08-2012 21:01:23,22-08-2012 21:06:28,,Administrator,server,22-08-2012 21:06:28,Default,REMOVEDUSERNAME,REMOVEDHOSTNAME,22-08-2012 21:06:28,REMOVEDUSERNAME,My CompanyServers,,,22-08-2012 21:01:22,22-08-2012 21:06:28,0

    This gives me a headdeck. Symantec Endpoint Protection, deleted the files on 10-08-2012 because it was detected as a Backdoor.Trojan.
    Just like it said in the above post.
    Update 09:15 (GMT+1) Anti-virus product vendors that are detecting the malware at this moment…
    Symantec (Backdoor.Trojan)

    So ok.. i did a google on Backdoor.Trojan virus from 1999… ?
    But why is it that the virusdefintions that detected the recoverd file on 22-08-2012. Detected those files now as Trojan.Exprez.B and is able to clean it or just Quarantine them.

    Now i start to wonder. Did symantec push on 10-08-2012 the wrong definition files? Because it was deleting .XLS and .DOC Files
    And after they noticed they pushed other definition?? That could detect is as Trojan.Eprez.B and where cleaned or Quartined like it should be.

    Costomer still don’t have there .XLS and .DOC files becuase it was deleted by symantec. And the recoved files from disk where all currupted because of tomany changes to the harddisk in the last 2weeks.

    So i call symantec. I keep this short, i spent 12hour + with calling the helpdesk. In the first 30min they told me they could not help me because the files where deleted.
    They told me that the infection was so bad, that end point protection was unable the clean the file, and becuase of that it was deleted.
    The technichen told me he could not help me. Connected to a other engineer, no result. And spoken to the manager, and to the Supervisor.
    They needed to check the log some more. Requested some files from Quarantine and now it it weekend.

    Monday iam going to call to symantec department in the Nederlands, because all symantec support in outsourced within india i gues?

    If someone could comfirm the same problem, or know that the virusdefinitions has really changed, or could advice me more.
    please contact me on rdehaar@gmail.com

    Best Regards,


    The Netherlands.

  4. i had no reaction from avg or kasperky on the dll files.
    though i did find on 2 computers sofar a new banking virus.
    only kaspersky rescue disk sees something on the mbr and calls him sinowal.b
    so im not sure if it is a new release of sinowall or maybe hermes.

    tddskiller awsmbr avg and malwarebytes dont find anything on the computers
    symptops computer is slow and it tried to fish banking info like atm pin.

    im going to work on this further this afternoon if you have any tips im happy to hear them.

    • Try Stinger from McAfee, this is free and a Windows executable. Download here.

      And also, if stinger doesn’t find it, upload the suspected file here: https://www.virustotal.com/ to see if there are any a/v products that recognize malware in it.

      Lastly, contact you anti-virus product vendor and ask them if they could take a look at the dll’s. There is a chance that it really isn’t a virus at all. Or maybe just something used by the malware!

  5. Every network administrator should have a group policy like that in place.
    Not with hash rules, but with the paths where executable programs can be.
    When executable programs are only allowed in C:WINDOWS C:PROGRAM FILES and maybe one or two network shares where they are really required, and NOT in C:DOCUMENTS AND SETTINGS etc, the majority of trojans has no chance to operate. Programs in the TEMP folder or other places where the user can write (MY DOCUMENTS, network shares) will simply not be executed.

    Basic group policy knowledge.

  6. Another update, i have already one customer with banking issues.
    but im not sure if it is related to this virus.
    it als uses the mebroot like behaviour
    avg and mall warebytes did not detect.
    just keep your heads up :)
    about the dlls i have no update from avg or kaspersky yet.

  7. As we also have some infected machines (currently identified 6), we found some additional IP addresses, this malware tries to access: (werthasd1.com/g.php) (wwfas52.vn/g.php) (no URL found, but the proxy server didn’t recognize the method used, and therefore we think it’s malicious – this traffic was only observed from machines which were identified as infected)

  8. From the Treat Encyclopedia from Trend Micro we got this info:
    One is the dropper and the other one that affects Microsoft documents and executables.


    Trend Micro says in their latest blog posts that PE_QUERVAR.B infected files are restored to its usable state by pattern 9.313.00.

  9. BTW i noticed also some dll files created in the same directory as the .exe file.
    with the same like names as created in hte profile directory created.
    i have submited them to kaspersky avg and virus total.

  10. We also have found some infected exe files.
    date stamp 8-8-2012 so the infection was pretty quick after the other simptops of the virus. so i think it is another standard operation of the virus.

    odes anyone know if these files can be cleaned too?

    • Yeah, i’ve got a few sources who noticed the same. Also Microsoft stated this on their site. My post is updated accordingly.
      Thanks for sharing!

  11. Good news from GFI;

    Hello All,

    The definitions are out.
    Please make sure everyone is on 12564 or newer & run scans.
    These defs are to deal with the documents & exes that were at one time valid & had become encrypted alone with the virus attached to them.
    The defs can:
    Remove the virus
    Decrypt the files

    What they cannot do:
    Rename files back to original file name.

    The file extensions will need to be reset.

    I can recursively rename the file extensions in say a folder called “share” from *_cod.scr to have the doc extension with the following:

    for /r share %a in (*_cod.scr) do ren “%a” “%~na.doc”

    The above renames recursively starting at folder named share any file with _cod.scr to re-gain the .doc extension.
    docx files – the above will need to be altered to suit.
    As will the xls & xlsx files.
    This will make the documents workable but each one still will have the _cod, _xcod, etc in the file name.

    Working on a feasible method of fixing that issue.

    For the most part the affected files are mainly on the server shares. Correct? Meaning docs on end user machines have NOT been affected in the same way?

    Thank you

    Tammy Stewart – Malware Removal Specialist
    GFI Software

    • Ok, thanks again for sharing, post is updated with your findings.

      And yes, as far as I know there aren’t known local computer infected documents. (except USB drives etc)
      The malware DOES place virusses (.exe files) on the local harddrive, so the computer itself isn’t clean, just no encrypted Office documents. (yet 😉 )

  12. FYI that Trend Micro now detects this attack and has information on its blog here: https://blog.trendmicro.com/caring-about-quervar/.

  13. Just a heads up to you all, today we found a file called dino.exe which was again not detected by Symantec Endpoint Protection running the latest virus defs of that moment. The file however was detected by NOD32 as Win32/Kryptik.AIJU. I have submitted the file to Symantec for investigation. No reply from them yet.

  14. Yes it is blocked but no activity on that ip adresses. I have created the block last tuesday but till now still no activity.

  15. We also have problems with .exe extensions, does anybody else have the same problems?

    • Arno Rommens, a few comments up, reported infected .exe files. It looks a bit like a mutated version. Did you block the two IP address stated in the blog post? This may be the source of the updated virus. (if it really is an updated version ofc.)

    • Yes we have, but McAfee can detect & clean them with the extra.dat (or at least it says it can).

  16. At this moment we have definition file 12558 from GFI Vipre, just started a scan again.
    With 12556 we still have infected files on our shares. No encrypted or damaged files but doc, docx, xls and xlsx files with normal names and extension but they had a Backdoor Trojan. Very weird.

    • Ok, great update!

      That’s weird indeed. And a first. It may be possible this is not the original malware, but something else it downloaded!

  17. http://blog.fox-it.com for more technical and background information on this virus!

  18. trend deletes (read: put in quarintine) the files that are *.scr…. but thats not what we want…

  19. office scan that is then.

  20. Trend micro has new definitions.
    just for detection.

  21. We’re using Sophos so I checked if we were in trouble (sometimes outdated updates etc). Now it seems that the mal/behav-104 is a behavioural detection and is some years old, so even if we wouldn’t have updated since 2009, we’d still be protected. Way to go :-)

    • Well, if I have to guess it is possible that they updates their existing definitions.
      But then again, it is possible that heuristic detection from Sophos was plain better 😉

  22. We have GFI Vipre Business, first we had definition 12554. We scanned the network and no results.
    Now we have definition 12556 (1 hour later) and we’re scanning again and we have now 13 infected files and still scanning.
    The infected files are .exe files from applications on network shares.

    • Thanks for the reaction. I’ve edited my post to reflect GFI Vipre has an working update. (isn’t in my online list to check, so thanks for this!)

  23. By blocking the creation of *cod.scr and *slx.scr files on our file server, the original files will be left alone by the virus. This has been tested on a file server at the Erasmus University Rotterdam, the Netherlands.

  24. Hello,

    Another victim, here. Does anyone know what would happen to the original file if the virus cannot create an .scr file? In our NetApp storage we can block the creation of files with certain extensions or renaming files to that extension. Would the virus leave the original file alone, then, or would it have been deleted? Unfortunately, currently we haven’t got an infected client to test this.

    • Mis-read the question.
      Short awnser: no, I didn’t read anything about that. My guess is that it’s left alone. But that’s only a guess.

      Yes, the file is encrypted.

      If it’s encrypted due to this malware, it can be decrypted with the tool described in my above post in “Update 09:10

  25. Hello,

    We have a problem with Symantec Endpoint Protection 12.0 files like rcs.doc and rcs.xls wil be delted if we open the sharemap. In the policy from symantec we can selected

    First action : Quartaine , Delete , Leave alone
    Second action : Quartaine, Delete

    We want to repair the files and not delete


    Barry Slijters

    How can we fix this ?

  26. Another IP address I see infected clients going to is, URL: resolve-dns.com/bl/in.php? followed by random string.

  27. FYI: U can use the Microsoft file server resource manager to block the virus when changing the filename on the server and meanwhile locate the infected systems. SRMSVC eventID: 8215 will show you the systems that try to change the files.

    Note: a rule needs to set for screening and blocking the filename change.

    Hope this helps.

  28. is it possible to load extrax.dat in stinger?

    • Unfortunately it’s not.

      According to the read-me of stinger this definition isn’t in stinger (yet).

      But I guess this has to do with the fact that McAfee still hasn’t officially released the definition!

  29. We tried the Suggested HASH blocking in the GPO no luck!

    It seems that the file hash is only the same on the local computer. On a different computer it hash a diferent hash.

    The first three hashes are from the same computer, the later three are from diferent computers:

    Filename MD5 SHA1
    9BM379.exe 98914849c66a5dee517f3d379b8faab6 1abe0b17301e59e2f9243ec741e041977e0013d0
    LG6JMM.exe 98914849c66a5dee517f3d379b8faab6 1abe0b17301e59e2f9243ec741e041977e0013d0
    ZDUNKV.exe 98914849c66a5dee517f3d379b8faab6 1abe0b17301e59e2f9243ec741e041977e0013d0
    KKCTWF.exe 55d67a3f0759a688535646f513da9cb0 05693fcc1dade25cdfbfa0ec97ec48226ac5b62b
    9KTBM2.exe 434c3ace264ce446132cd412f89f1fc4 47bef7c4f19220495408ef3a5561bb8c6c454151
    KKCTWF.exe 55d67a3f0759a688535646f513da9cb0 05693fcc1dade25cdfbfa0ec97ec48226ac5b62b
    L4KZNB.exe 0c23f70acfd1834e3fc79e927b7197cd e4ef63478207f1f51993426dc3334b7979e2b5ee

    To bad.

    • Thanks for your test and reply! I’ve updated my post to reflect your findings.

    • Try a fuzzy hashing method like SSDEEP to find partial similar occurences in the infected executables you find on your endpoints. You should be able to find a common denominator.

      Also, you can compare your found hashes against the ones in databases like virustotal for verification.

  30. Guys,

    Does anybody have a workin’ download link voor de new McAfee .dat file? I’ve downloaded the 6797 .dat file, but like Frank Fox IT said this is not solving the problem.

    I cannot download it from the Medusoft forum: I registred but have no acces to the file?

  31. Fabian, our Vendor GFi still does’t have a DAT engine to remove it….
    Other solutions to kill the malware?

  32. We tested the tool with hundreds of encrypted documents and never had the problems you describe. Would you mind sending one of the encrypted files to fw@emsisoft.com? Please make sure it doesn’t contain any sensitive information.


  33. Mark, doet deze tool ook de computer deinfecteren of alleen de bestanden herstellen en kan de uitbraak weer ontstaan?

    • Sorry for replying in English. While I can read Dutch the same way most Dutch people can read German, I can’t actually speak Dutch.

      Anyways, the tool only decrypts the encrypted Word and Excel documents. It does not remove the actual infection. The best way to clean a system is to:

      1. Start the Task Manager. The malware has a kill switch and kills itself if a process named TaskMgr.exe is running. This way you can make sure it doesn’t interfere during the cleaning.
      2. Create a “System Volume Information” directory in the root directory of all mapped network shares and drives the infected system has access to. The malware does not encrypt documents located on a (mapped) drive with a “System Volume Information” folder in its root.
      3. Run the aforementioned decryption tool to decrypt all encrypted documents.
      4. Verify that the documents were decrypted successfully by opening them. If some of them weren’t, feel free to drop me an email (fw@emsisoft.com).
      5. If the files were decrypted correctly, use your anti-virus software to remove the infection. All major anti-virus vendors should detect it by now.
      6. Last but not least look for infections with Citadel as this the the most common infection source that we have found so far.
      7. Once the infection is gone, remove the “System Volume Information” folders you created and close the Task Manager.

      I hope these instructions are helpful. If you need further help though feel free to contact me via mail :).

      • The decrypt_dorifel.exe Tool works, but the files are renamed only after office 2003 file endings. Most of our files are files but office 2007 or 2010. Is there a trick for this or a script that detects the correct files and then back to the correct extension (docx, xlsx) names?

  34. Close cooperation between Emsisoft and SurfRight (HitmanPro) resulted in a special standalone command-line decryption tool to help organizations with the outbreak of this specific ransomware. It can be used to scan local and network drives to decrypt the documents that were affected by this trojan. The tool is available for free here: http://www.surfright.com/support/dorifel-decrypter

  35. Thanks Jeffrey, ik hoop dat zoiets geregeld kan worden zodat we snel onze verschillende klanten kunnen helpen.
    Het is een drama probleem…

  36. Started scan with the extra.dat en McAfee is cleaning all files and removing the virus from the profile folders, so far so good. Good job McAfee and Medusoft

  37. Most of the guys who are responding on this forum are Dutch 😉

    Ik zou graag een losse stinger of revealer zien om dit op te lossen….

  38. We just received an extra.dat from McAfee and our first tests are OK!!!
    The extra.dat and more information is avalible on the Medusoft form.
    (You do need to register on it to download the file)

    Link to forum:

  39. You can detect infected clients with the Citadel botnet in your proxy/firewall logs communicating with the following domains:

    We are still not sure if this is the actual initial infection point (the Citadel botnet) though sharing this information could be interesting.

    POST http://windows-update-server.com/ver/ajax.php – DIRECT/ text/html
    POST http://dns-reslove.name/g.php – NONE/- text/html (doesnt resolve atm)
    POST http://wesaf341.org/g.php – DIRECT/ application/octet-stream

    Below is the TCP data for the POST to g.php on wesaf341.org:

    POST /g.php HTTP/1.1

    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
    Host: wesaf341.org
    Content-Length: 122
    Connection: Keep-Alive
    Cache-Control: no-cache

    binary blah blah

    HTTP/1.1 200 OK

    Server: nginx/0.7.67
    Date: Tue, 07 Aug 2012 09:25:28 GMT
    Content-Type: application/octet-stream
    Connection: keep-alive
    X-Powered-By: PHP/5.3.3-7+squeeze13
    Cache-Control: public
    Content-Disposition: attachment; filename=”g”
    Content-Transfer-Encoding: binary
    Content-Length: 26064

    binary blah blah



  40. Peter: just to confirm this.
    Mcafee fixes / decrypts the infected word / Excel files so they can be used again? In other words, the files are not lost?

  41. Hello,

    I’m from The Netherlands, we have also been having problems with .scr files.

    Customers have been receiving an e-mail with subject (dutch in this case)

    “Betreft openstaande vordering faillissementsboedel. t.b.v. de Financiele administratie”

    And the e-mail contains:

    Geachte heer, mevrouw

    Als Curator in het faillissement van Marketingsience BV vond ik een vordering op uw organisatie. Ik verzoek
    u en desnoods sommeer ik onderstaande vordering te controleren en indien correct het bedrag per omgaande
    te betalen. Mocht u de vordering bestrijden dan verneem ik dat graag via e-mail.

    Indien u niet voor 10 augustus reageert zal ik Metro creditmanagement B.V. opdracht geven de vordering op te nemen in het incassotraject
    Alle directe en indirecte bijkomende kosten zullen dan voor uw rekening komen.

    Bekijk hier de vordering op uw onderneming. <— This was the link

    bij voorbaat dank voor uw medewerking.


    Mr. Anton.P.K. van Henegouwe (curator)<b
    Kantoor Amsterdam
    Ouderzijdse voorburgwal 356c
    1023AC Amsterdam

    (Wij stellen het op prijs als u enkel via e-mail reageerd)

    De Inhoud van dit bericht kan vertrouwelijk zijn en is enkel voor de geadresseerde. Mocht dit bericht niet voor u bestemd zijn
    wordt u verzocht het bericht door te sturen naar de juiste ontvanger en dit per omgaande te melden door het bericht te beantwoorden

    Elk misbruik van onze berichten wordt gemeld bij de betreffende instanties. (copyright Henegouwe, de Vries en de Jager advocaten en curatoren)



    We have tryed to research those files a little. It seems it is doing multiple things, it does stuff with TOR, with registry settings for IE, proxy settings, seems to change the java updater.

    (The link did not work newer java versions, but it seems to execute itself in java 6 u 32 and older).

    It is downloading a GIF file which contains more code, it downloads several java files aswell

    it seems to be receiving something from mytorresol.com

    I do have the actual link if the above do not work, i also have the extracted java and gif file.

    • That is different malware, which will save itself in \Documents and Settings\\Local Settings\Application Data\\*exe

  42. I cannot provide the download link, because it is protected. I think only users that logged a case have the credentials and may access the link.

  43. anyone more info about the detection with Kaspersky? Seems like all the other big guys can already detect it and McAfee even fix this?

  44. Zag verder een DNS request..

    kaspersky DNS_TYPE_A

  45. Peter, the extra.dat is only a definition and not a removal tool?

    Do you have a download link?

  46. It detects and removes it from the clients and decrypts the xls(x) and doc(x) files.

  47. Register waarde gewijzigd

    CU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load REG_SZ/REG_SZ 2/92 “”/”C:\DOCUME~1\User\APPLIC~1\CFDMN4\F28YY5~1.LNK”

    Map wordt aangemaakt

    C:\Documents and Settings\User\Application Data\CFDMN4

    Bestanden gemaakt

    C:\Documents and Settings\User\Application Data\CFDMN4\F28YY5.exe 151552
    C:\Documents and Settings\User\Application Data\CFDMN4\F28YY5.exe.lnk 795

    Bestand wordt geopend

    C:\Documents and Settings\User\Application Data\CFDMN4\F28YY5.exe


    BoB / BobSoft

    Version Infos
    LegalCopyright: Copyright © 2005-2008 Inv Sofrworks LLC. All rights reserved.
    InternalName: FlexHEX
    FileVersion: 2, 6, 0, 0
    CompanyName: Inv Sofrworks LLC
    ProductName: FlexHEX
    ProductVersion: 2, 6, 0, 0
    FileDescription: FlexHEX Editor
    OriginalFilename: FlexHex.EXE
    Translation: 0x0409 0x04b0

    Met vriendelijke groeten,
    Ilias el Matani

  48. Symantec has released an update just now, r18, that detects the exe. We have got an outbreak and we’ve put are storage offline. Endpoint detection didn’t detect the virus.

  49. extra.dat is released by McAfee, and working fine in our environment

    • @Peter, does it also clean the files or only remove infected files?
      does it also remove the malicious files that are trying to drop the virus?

  50. It seems that the virus is specifically looking for network files, local files with the .doc and .xls extension are un harmed so far.

  51. As a small workaround you can block the execution of scr files. Do this by removing the value ‘scrfile’ in the regkey ‘HKEY_CLASSES_ROOT\.scr’ (just make the value of this key blank). This way users aren’t able to run the scr file.

  52. Jelle, the netbios traffic is proberly the “action” where the client wants to change the data like .doc and .xls to .src files.

  53. Thanks Frank,

    Checked some firewall logs, and found a client that tries to connect to
    This host also continuously broadcasts netbios traffic to the local subnet, I don’t know if this is related to this bot or the payload?

  54. At this moment my clients are offline so testing is impossible tonight. I hope there is tonight a great hotfix which will resolve the problems.

    GFI Vipre is now working on a fix for us.

  55. Frank Fox-IT, that’s not true in all of the situations. At our customers we don’t have any http traffic from our clients to the wan.

    Kaspersky did not find the virus yet…

    • Hmm thats very strange, im sure you are 100% positive that you can see all the infected clients traffic right?

      Can you see the history of that client? Maybe a.exe hosted somewhere else? Or can you share some traffic logs from that infected client?

  56. Seems the virus is downloaded while the infected client was already part of a Citadel (Zeus variant) botnet.

    The source tries to download hxxp://

    Blocking access to that IP in your firewall will prevent infected clients already infected with the Citadel malware from downloading the new virus for now.

    You might be able to see what clients downloaded the malicious executable from your proxy logs, they are most likely infected with the virus.

  57. Update of Kaspersky did not recognize the virus!!

  58. seems the virus is encrypting all .doc and .xls files with RSA…

  59. The virus will be gone, you are only stuck with alot of .scr files.
    I am really hoping they will make a tool to remove the code from the infected files. This will help out alot.

  60. Willem,

    Are you for sure that problem is solved with manual removal?

    Arno Rommens

  61. Solution for manual removal of the virus (vendors are working on a permanent solution):


    • I’m going to have to add something to all of this: I ran a scan on an infected PC using McAfee’s GetSusp tool.

      That tool also finds entries in the folder C:\Users\[username]\appdata\local\temp.

      On the infected PC a total of four entries were found that were described as FlexHex Editor.

      So just removing executables from appdata\roaming\xxxx would not be enough.

  62. Same problem here in the netherlands. A few customers with the same problem.
    Our antivirus vendor GFI says it’s possible a leak in Adobe Flash 10.

  63. Can this also be done with .scr files which the files are in this case?

  64. Hi,

    It’s possible to block the executable (virus) files from starting with the Group Policy. Go to Windows Settings > Security Settings > Software Restrictions Policies > Additional Rules > New Hash Rule and browse to one of the executables. This is tested with multiple virus files.

    • This is a very good idea, but it doesn’t work. The problem is that some malware .exe’s have different hashes to work around this. (I tested this on my system)

  65. It’s not that, we have a solid backup.
    The problem is that the backup runs once a day. And one file was edited the whole day and then got changed after it was saved.

    So abit of bad luck here.

  66. Our company is infected as well.

    What I found out so far:
    It places a registry entry here
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

    Look for Load: there the virus is called.

    Also the location of the virus is (Windows 7): C:\users\username\appdata\roaming\
    Look for the folderdate with weird letters and the date from yesterday or today.

    I have not find a way to fix the affected office files they remain as .scr files when you rename them back Excel or Word can’t open them. If there is a solution for this I really would like to know.

    Good luck everybody.

    • Check my list of supported anti-virus vendors. These vendors have the latest detection software available against this malware.

      It seems the virus uses FlexHex software to edit the files. So if you edit out the binary part you get your normal doc back, but I didn’t tried this yet!

      There are two locations according to McAfee (our AV contact) where the virus is located. Check my post for these updates locations.

      • That explains why, when I checked the properties of the virusbinary in C:\users\[username]\appdata\roaming\Iqzya, it said ‘FlexHexEditor’ in its description.

      • Is there an easy way to remove the added data for example delete all data added on a certain date / time.

        It looks to me like it will be a difficult process to get the files back to normal? I really wish there was a tool that would do that.

        Thanks for the input atleast.

        • Right now it doesn’t look like you can recover the files, but they are only working at detecting and stopping it right now, so we have to be patient I’m afraid.

          At the moment restoration from backup seems to be your only option. So take this as a lesson or reason for your IT manager to invest in a solid backup solution!

  67. The company I work at was hit by this virus yesterday. Because the company uses fileshares that allow users to save documents to the network so others can reach them as well, more than 28000 files have been corrupted by this virus.

    Something to look out for!

    • Indeed it is!
      Which anti-virus product are you running?

      I try to update the list of supported anti-virus products as soon as I get the info. So check it out!

      My colleague just called McAfee and they get a lot of calls atm. Weird huh? 😉 They are working feverishly on it and say they think they have an updated DAT this afternoon (+- 16:00 GMT+1 or 10:00 EDT)

      Good luck with this malware!

Leave a comment

Trackbacks zijn uitgeschakeld.