There is a new virus, dubbed XDocCrypt/Dorifel by the NCSC, wreaking havoc at this very moment. And now it seems it’s downloading a new banking trojan… Read about it below.
I think about all major anti-virus product vendors have released new definitions that can find and destroy this malware. Microsoft Office Documents infected are decrypted and safe* once again!
* Depends on the released definition and vendor, not all vendors support decryption. If not, check post below for a decrypt tool.
Update 11:20 (GMT+1) We’ve uploaded the possible malware to www.virustotal.com and it seems a few vendors can detect it now. The website states the definitions are coming out as we speak. They are awake and we have lift-off…
Update 12:20 (GMT+1) According to DrWeb the virus is called “Trojan.MulDrop3.62656”. Getting closer to clean systems…
Update 13:30 (GMT+1) McAfee said on the telephone that they are getting a lot of phone calls about this malware. They are working on it right now and probably have a updated DAT file within the next 2-6 hours. I really hope do do have it fast, but of course there are no guaranties whatsoever!
Update 14:30 (GMT+1) According to McAfee there are two location the virus places itself (thus not the changed .doc and .xls files). These are:
C:\Documents and Settings\xxxxxx\Application Data\xxxxx\xxxx.exe
This tool from McAfee scans the system and can find these files. Download here. Do use it with caution because it flags a lot of false-positives because it’s a zero-day tool.
Update 16:45 (GMT+1) Angelo (in the comment below) revealed a trick via Windows Group Policies to possibly block the malware .exe files from executing.
Quote: “It’s possible to block the executable (virus) files from starting with the Group Policy. Go to Windows Settings > Security Settings > Software Restrictions Policies > Additional Rules > New Hash Rule and browse to one of the executables. This is tested with multiple virus files.”
Try it in a isolated environment (as much as possible anyway) and drop a line below with your findings!
HermeS, in the comments, noted that: “It seems that the file hash is only the same on the local computer. On a different computer it hash a diferent hash.”
Update 18:05 (GMT+1) An excellent find by Frank from Fox-IT:
Seems the virus is downloaded while the infected client was already part of a Citadel (Zeus variant) botnet.
The source tries to download hxxp://18.104.22.168/a.exe (editor’s note: replace the x’s)
Blocking access to that IP in your firewall will prevent infected clients already infected with the Citadel malware from downloading the new virus for now.
Editor edit 12:25 (GMT+1): Another IP is detected by Fox-IT: 22.214.171.124, block this one as well!
You might be able to see what clients downloaded the malicious executable from your proxy logs, they are most likely infected with the virus.
Update 09:10 (GMT+1) Surfright has released a tool that decrypts files encrypted by the malware. Click here to go to their site. Please note that this tool does NOT remove the virus/trojan itself! (Thanks to Mark from Surfright in the comments.)
Update 21:00 (GMT+1) The Dutch tech-news site Tweakers.net reports, in an interview with a spokesperson from the NCSC, that it looks like this is an attack with ties to the criminal world.
Update 09:15 (GMT+1) Anti-virus product vendors that are detecting the malware at this moment. This list is updated when I get information of their updated definitions.
List now in alphabetical order for easy searching.
- AhnLab-V3 (Dropper/Win32.Dorifel)
- AntiVir (TR/Rogue.kdv.691754.7)
- Avast (Win32:Trojan-gen)
- AVG (SHeur4.ALGO)
- BitDefender (Trojan.Generic.KDV.691754)
- ByteHero (Trojan-Downloader.Win32.DlfBfkg.ln)
- DrWeb (Trojan.MulDrop3.62566)
- Emsisoft (Trojan-Dropper.Win32.Dorifel!IK)
- ESET-NOD32 (Win32/Delf.NBG)
- Fortinet (W32/Delf.NBG)
- F-Secure (Trojan.Generic.KDV.691754)
- GData (Trojan.Generic.KDV.691754)
- GFI Vipre (Works for removal and cleaning, but renames .docx and .xlsx to .doc and .xls. They are working on that issue. Reported by Arno Rommens in the comment below.)
- Ikarus (Trojan.SuspectCRC)
- Kaspersky (reported by Johan below in the comments NOT to work, but is updated 09-aug-2012 so try again!!) (Trojan-Dropper.Win32.Dorifel.hau)
- McAfee (W32/XDocCrypt.a) (new definition updates are out, try to autoupdate!)
- Microsoft (Virus:Win32/Quervar.B)
- Norman (W32/BadBreak.A)
- nProtect (Trojan.Generic.KDV.691754)
- PCTools (Trojan.Exprez)
- Sophos (Mal/Behav-104)
- Symantec (Backdoor.Trojan)
- TrendMicro (PE_QUERVAR.B) (as of 6:29 PM PST, they clean infected Office documents as well.)
- TrendMicro-Housecall (TROJ_GEN.R47H1H8)
- VIPRE (Backdoor.Generic (fs))
- ViRobot (Backdoor.A.Dorifel.173080.A)
Update 11:00 (GMT+1) A lot of sources now tell us that .exe files are being infected as well. It was reported before, but it now is confirmed as well. Besides this news, it now becomes clearer that this XDocCrypt/Dorifel malware has been delivered by a already present banking trojan called Citadel from the Zeus/Zbot botnet. Some even say this virus is dropped off so the creators can brag about their invisibility. Is this a new hacker war? If so, interesting times ahead…
As a side-note, Fox-IT has a good technical information blog about this attack, here.
Update 12:40 (GMT+1) It seems (Dutch) the malware is now downloading a new banking trojan in addition to the one that encrypts the Office documents. This one, called Hermes, is said to be undetectable at the moment by all major anti-virus vendors. This malware is supposed to gather information about banking and even got code for DDoS attacks and Remote Shell access. This one seems even worse but luckily everyone is on their toes at the moment.
Update 13:10 (GMT+1) Digital Investigations discovered (Dutch) disturbing new facts about this malware! They have picked apart the malware and discovered that the the goal is to distribute phishing banking websites for the ING bank, ABN AMRO & the SNS bank.
As per above discovery it is imperative that IP address 126.96.36.199 and the DNS host “bank-auth.org” are blocked!
Also there are rumors going around that this virus is temporarily terminating itself when someone tries to view all active processes. This, however, is unverified.
Update 14:05 (GMT+1) Add IP address 188.8.131.52 to the list! Digital Investigations has seen even more horrific data as they go on. 549 Bank accounts from Dutch citizens have been compromised and this data has been shared with their respective banks. It seems this attack is far from over, but the Dutch digital specialists are all over it.
Update 09:30 (GMT+1) No real update at the moment. Kaspersky has an informational blog post about the scamware and numbers of infected computers in different countries. Most websites report that the virus is halted. Since there is no news about Hermes or other new malware that is probably distributed it looks a bit calm at the moment. The question now is, is it the calm before the storm or is the malware dying slowly?
Update 13:10 (GMT+1) I just found out McAfee updated it’s free malware scanner: Stinger to include XdocCrypt/Dorifel! Download here. This is a very easy-to-use Windows application that scans the C-drive, memory, registry etc. for the most annoying and common malware. To use it, download the application, run it and press ‘Scan Now’. What could be simpler? If you have USB drives I recommend you add those drive letters via the ‘Add’ button when plugged in.
Update 15:55 (GMT+1) You can’t trust anyone these days anymore… Scammers are calling companies and others institutions saying they are from Microsoft’s helpdesk calling to help with the virus. They ask if you would like to buy overpriced anti-virus software and even dare to ask for credit card data. Well, if you didn’t thought of this already: DON’T DO THIS.
A company, who provides IT services to another company, received at first a few calls from concerned users who couldn't start their Microsoft Office Word and Excel documents anymore. The company called different anti-virus vendors and they all said there are a lot of calls coming in with the detailed as described below, but they don’t have a solution yet!
As of 8-8-2012 (08 august 2012) reports are coming in that a unknown Belgium hospital is gone digitally dark due to this virus. (unverified source)
As of 9-8-2012 (09 august 2012) the Dutch news website nu.nl reported here that the cities of Borsele, Weert, Venlo and Den Bosch are hit by the virus. This, of course, excludes all companies and other government organizations that do publicly state they are hit. Added victims are: Venlo, Tilburg & Almere. This malware seems to be spreading faster then updated definitions are given out…
Other (Dutch) news sites report even much, much more victims of this virus. Now the cities of Tilburg, Almere, Nieuwegein & Buren are infected. Even the province of Noord-Holland, powergrid manager Westland Infra and even the National Institute for Public Health and the Environment (RIVM) are hit.
And as of 10-8-2012 (10 august 2012) the Dutch new site nos.nl writes that even the Dutch government OCW (Dutch ministry of Education, Culture and Science) is hit. Luckily a lot of anti-virus vendors already have new definitions and they got the outbreak under control in no time. They are still working, however, on cleaning the infected files.
After checking and double checking the files it seemed to be .scr files. The thing is Windows let you see filenamercs.doc files. When viewed through a DOS box it’s name really is filename?cod.scr. Long story short, the real extension and the fake one are displayed in reverse. This is known as the RTLO unicode hole. What this hole does is using a Windows standard unicode “right-to-left override” which is used in Arabic and Hebrew texts.
We call this hole not a bug, but a feature .
The goal of the malware may be to blackmail companies and cities to release the encrypted (read: hijacked) Microsoft Office documents. So far there aren’t known examples of actual blackmail going on.
It shares similarities with known malware (trojans to be exact) called:
Almost all major anti-virus vendors can detect this malware now and most of them (unverified) can clean the encrypted Microsoft Office documents as well. Unfortunally a small number of computers seems to have gotten a new banking trojan called Hermes. And this one can’t be detected yet either… What is the digital world coming to?
As always, more information will be added when I get it. See the updated header!