Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.Encoder.398

Added to the Dr.Web virus database: 2014-01-15

Virus description added:

An encryption ransomware written in Delphi. Apparently, this Trojan is a modification of Trojan.Encoder.225. The malware receives the encryption keys from the server.

Once launched for the first time, Trojan.Encoder.398 copies itself with the ID.exe name (ID stands for the hard drive serial number) to the %APPDATA%\ID\ folder. Then it displays a message informing the user that the archive is damaged and runs its copy from the C:\ directory terminating the work of the original file.

The Trojan’s copy looks for the %APPDATA%\ID directory, gets the hard disk serial number and sends it to the server using the InternetOpenUrlA feature. In reply, the Trojan receives an XML configuration file containing the following encryption parameters: cybercriminals’ email address, the encryption key, the encryption algorithm number, and part of file name extensions of the encrypted files (the ext parameter).

Once the variables are initialized, the file encryption begins. Only fixed drives are encrypted (DRIVE_FIXED). The Trojan does not encrypt files in the following directories:

$RECYCLE.BIN, Windows,Program Files (x86), Program Files, Games, ProgramData, UpdatusUser, AppData, Application Data, Cookies, Local Settings, NetHood, PrintHood, Recent, SendTo, Main Menu (“Главное меню”), Searches (“Поиски”), Links (“Ссылки”), System Volume Information, Recovery, NVIDIA, Intel, DrWeb Quarantine, Config.Msi, All Users, All Users (“Все пользователи”).

The malware saves the “HOW_TO_DECRYPT_YOUR_FILES.txt” file (“КАК_PАЗБЛOКИРOВАТЬ_ВАШИ_ФAЙЛЫ.txt”) with the following contents to every directory:

All files on your computer have been encrypted with a crypto-secure algorithm.

To decrypt the files, you must have a decryptor and a unique password.

You can purchase the decryptor within the next 7 days. If you do not make the purchase during the specified period, the decryption password will be deleted from the base and decryption will be impossible.

To purchase the decryptor, send a message to mrcrtools@aol.com.

If you want to make sure that we have the decryptor, attach any encrypted file (except for databases) to your message and we will send you its decrypted version.

The decryptor costs 5,000 rubles. We will inform you regarding payment methods in the reply to your message.

Contact email address—mrcrtools@aol.com

The Trojan can encrypt files with the following extensions:

ak|.BAK|.rtf|.RTF|.pdf|.PDF|.mdb|.MDB|.b2|.B2|.mdf|.MDF|.accdb|.ACCDB|.eap|.EAP|.swf|.SWF|
.svg|.SVG|.odt|.ODT|.ppt|.PPT|.pptx|.PPTX|.xps|.XPS|.xls|.XLS|.cvs|.CVS|.dmg|.DMG|.dwg|.DWG|
.md|.MD|.elf|.ELF|.1CD|.1cd|.DBF|.dbf|.jpg|.JPG|.jpeg|.JPEG|.psd|.PSD|.rtf|.RTF|.MD|.dt|.DT|
.cf|.CF|.max|.MAX|.dxf|.DXF|.dwg|.DWG|.dds|.DDS|.3ds|.3DS|.ai|.AI|.cdr|.CDR|.svg|.SVG|
.txt|.TXT|.csv|.CSV|.7z|.7Z|.tar|.TAR|.gz|.GZ|.bakup|.BAKUP|.djvu|.DJVU|

The malware can use the following encryption algorithms (in the following order):

  1. DES
  2. RC2
  3. RC4
  4. RC5
  5. RC6
  6. 3DES
  7. Blowfish
  8. AES (Rijndael)
  9. ГОСТ 28147-89
  10. IDEA
  11. Tea
  12. CAST-128
  13. CAST-256
  14. ICE
  15. Twofish
  16. Serpent
  17. MARS
  18. MISTY1

The encryption routine is selected based on the parameter specified in the configuration file.

Once the first encryption cycle is complete, the Trojan initiates the second cycle to encrypt 1C databases from Program Files and Program Files (x86).

Files with the following extensions can be encrypted:

|.dbf|.DBF|.1cd|.1CD|.dt|.DT|.md|.MD|.dds|.DDS|

The Trojan has different modifications. Some of them look as follows:

  1. Using back_files@aol.com

    The malware saves the file with the following message to the hard drive:

    All files on your computer have been encrypted.
    To decrypt the files, you must purchase a decryptor and a unique password.
    You can purchase the decryptor for 5,000 rubles by sending a message to back_files@aol.com.
    If you want to make sure that we have the decryptor, attach any encrypted file (except for databases) to your message and we will send you its original version.

  2. Using backyourfile@aol.com

    Once launched for the first time, the Trojan adds the following parameters to the Software\ENCRYPTOR registry key:

    • files—path to the text file containing the list of all encrypted files,
    • hid—hard drive serial number,
    • inst—set up flag (true/false),
    • mg—path to the HTML file containing cybercriminals’ demands,
    • p—path to the encoder’s executable file,
    • w—path to the image with cybercriminals’ demands.

    Then it places an HTML file with the following contents in the startup folder:

    All files on your computer have been encrypted with a crypto-secure algorithm.
    It is impossible to decrypt the files without a unique password!
    Any attempt to decrypt a file without the password will lead to its permanent damage!
    The decryptor costs 5,000 rubles.
    You can purchase the decryptor and the password by sending a message to
    backyourfiles@aol.com.
    If you want to make sure that we can decrypt your files, attach any encrypted file to your message and we will decrypt it.

    The Trojan sets the following image as a desktop background:

    Files with the following extensions can be encrypted:

    *.odt,*.ods,*.odp,*.odb,*.doc,*.docx,*.docm,*.wps,*.xls,*.xlsx,*.xlsm,*.xlsb,*.xlk,*.ppt,*.pptx,*.pptm,
    *.mdb,*.accdb,*.pst,*.dwg,*.dxf,*.dxg,*.wpd,*.rtf,*.wb2,*.mdf,*.dbf,*.psd,*.pdd,*.eps,*.ai,*.indd,*.cdr,
    *.jpg,*.jpeg,*.arw,*.dng,*.3fr,*.srf,*.sr2,*.bay,*.crw,*.cr2,*.dcr,*.kdc,*.erf,*.mef,*.mrw,*.nef,*.nrw,*.orf,
    *.raf,*.raw,*.rwl,*.rw2,*.r3d,*.ptx,*.pef,*.srw,*.x3f,*.der,*.cer,*.crt,*.pem,*.p12,*.p7b,
    *.pdf,*.p7c,*.pfx,*.odc,*.rar,*.zip,*.7z,*.png,*.backup,*.tar,*.eml,*.1cd,*.dt,*.md,*.dds

    The malware can use the following encryption algorithms (in the following order):

    1. Blowfish
    2. CAST-128
    3. CAST-256
    4. DES
    5. ГОСТ 28147-89
    6. ICE
    7. IDEA
    8. MARS
    9. MISTY1
    10. 3DES
    11. RC4
    12. RC5
    13. RC6
    14. AES (Rijndael)
    15. Serpent
    16. TEA
    17. Twofish
    18. RC2
  3. Using vernut2014@qq.com

    Once the Trojan is launched, the “File is damaged” message is displayed on the screen. The malware creates the HKCU\Software\LIMITED key in the Windows system registry and saves the following parameters there:

    • pth—path to the Trojan’s executable file,
    • installd (possible value—true),
    • wall—path to the image displaying cybercriminals’ demands,
    • msge—path to the HTML file containing cybercriminals’ demands (this path is also saved to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run branch),
    • files—path to the text file containing cybercriminals’ demands,
    • huid—infected computer ID.

    Then the Trojan saves the files with random names to the %APPDATA% directory’s subfolders whose names are assigned randomly too.

  4. Using yourfiles2014@yahoo.com

    The Trojan places an HTML file with the following contents in the startup folder:

    All files on your computer have been encrypted with a crypto-secure algorithm!!!
    It is impossible to decrypt the files without a unique password!
    Any attempt to decrypt a file without the password will lead to its permanent damage!
    The decryptor costs 5,000 rubles.
    You can purchase the decryptor and the password by sending a message to
    yourfiles2014@yahoo.com.
    If you want to make sure that we can decrypt your files, attach any encrypted file to your message and we will send you its original copy.

    The Trojan sets the following image as a desktop background:

  5. Using restorefiles2014@yahoo.fr

    The Trojan places an HTML file with the following contents in the startup folder:

    All files on your computer have been encrypted with a crypto-secure algorithm. It is impossible to decrypt the files without a unique password and not knowing the encryption type!
    Any attempt to change a file name, file structure, or decrypt a file using decryptors available on the Internet will lead to its permanent damage.
    The decryptor costs 5,000 rubles.
    You can purchase the decryptor and the password by sending a message to
    restorefiles2014@yahoo.fr.
    If you want to make sure that we have the decryptor, attach any encrypted file to your message and we will send you its original version.

    The Trojan sets the following image as a desktop background:

  6. Using filescrypt2014@foxmail.com

    Currently, data encrypted by any Trojan belonging to the Trojan.Encoder.398 family can be fully recovered with a success probability of 90 per cent.

News about this threat

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android