A ransomware Trojan that encrypts files on personal computers demanding a ransom for their decryption. It is written in Delphi and compressed with Armadillo. This program has been distributed since August 7, 2014. It employs the AES 128 encryption algorithm. The Trojan takes the first 16 bytes received from the server as a key. Then it sends the remote server a POST request that looks as follows: number=128&id=1234567890&pc=SUPERCOMPfirstname.lastname@example.org. In the reply, the malware receives text data.
Trojan.Encoder.741 has several modifications. The first modification appends encrypted files with the *.email@example.com extension; the second one, with the *.firstname.lastname@example.org extension (value that follows id is a random number different for every computer).