I'm sure everyone has heard by now about the so called XDocCrypt/Dorifel/Quervar malware.
It has mostly damaged machines in The Netherlands, but reports have come in from other countries (including the United States) as well. I myself have seen this infection on 08/08/2012, my initial thought was: ransomware. However, there isn't any message displayed, so it's either a failed ransomware attempt or the malware simply wants to annoy users.
This virus infects Office files, reverses the extension and adds “.scr” behind it (this is also known as the RTLO unicode hole, which makes it easy to hide the original file extensions. - I remember a blogpost from not too long, about this hole targeting users of the Arabic language, let me know if you find it - ). Renaming does not solve the issue, you cannot open the documents.
Office files affected by the malware
As is depicted in the figure above, Word and Excel files have their extension reversed, so now the files appear to be .scr files, which is the format for a Screensaver. The .jpg file is not affected in any way.
The files are encrypted with RC4, which is a very common encryption algorithm in the cryptography. SurfRight has developed a tool to decrypt (and recover) your files:
The malware has probably been downloaded by the Citadel or Zeus (aka Zbot) malware.
Let's take a look at a few Dorifel samples:
The malware tries to connect to one of the following IP addresses:
126.96.36.199 - IPvoid result
188.8.131.52 - IPvoid result
Where it will attempt to download the following file:
I haven't taken an in-depth look at it, but besides encrypting your Office files, I have seen the malware will kill itself when you open up Task Manager. Not sure what the point is there. It also doesn't seem to start up again automatically.
It does create an .lnk file to the dropped malware and puts that as an autorun entry, so it will start every time the machine starts.
The infection vector (how it spreads) is via phishing or spam email, so as usual:
- Don't open attachments from unknown senders - ever.
- Some antivirus already detected Dorifel generically, so update your antivirus.
- If you're in a corporate network, use a strong spamfilter. It will prevent a lot of troubles if correctly configured.
- Educate your users: raise the general awareness. Not even a spamfilter stops 100% of all the spam, there's always a chance something slips through.
Thanks to @erikremmelzwaal from Medusoft for most of the samples.