Trojan.Encoder encrypts, Doctor Web decrypts

January 27, 2006

During last 24 hours several cases of a particular infection has been reported to Virus monitoring service of Doctor Web, Ltd. The files of these users turned to be encrypted by an unknown virus. Besides, all of them have found on their hard drives numerous readme.txt files where a blackmailer notified its victims about his contact details.

"Some files are coded by RSA method.
To buy decoder mail: ********34@rambler.ru 
with subject:  RSA 5 68243170728578411"

Such systems are hit by a new Trojan Horse detected by Dr.Web Anti-virus engine as Trojan.Encoder (added to virus base on January 26, 2006). The Trojan comes to users computers via e-mail and sets the registry key

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
services = Filename.exe

The Troj activates itself using the vulnerability in the operating system. Having settled in the victimized computer, the program searches for files with the following extensions

"rtf" ,"txt" ,"pdf" ,"csv" ,"frm" ,"css" ,"xls" ,
"mdb" ,"dbf" ,"dbt" ,"db" ,"safe" ,"flb" ,"pst" ,"pwl" ,"pwa" ,"pak" ,"rar" ,
"zip" ,"arj" ,"gz" ,"tar" ,"sar" ,"htm" ,"html" ,"cgi" ,"pl" ,"kwm" ,"pwm" ,
"cdr" ,"dbx" ,"mmf" ,"tbb" ,"xml " ,"frt" ,"frx" ,"gtd" ,"rmr" ,"chm" ,"mo" ,
"man" ,"c" ,"cpp" ,"h" ,"pgp" ,"gzip" ,"lst" ,"pfx" ,"p12" ,"db1" ,"db2" ,
"cnt" ,"sig" ,"css" ,"arh" ,"pem" ,"key" ,"prf" ,"old" ,"rnd" ,"prx"

As the first incident was reported, the virus analysts of Doctor Web, Ltd. have promptly developed the decoder which fully restores the files damaged by the Troj. We offer all users who faced this invasion to contact Customer support service of Doctor Web, Ltd. and we will help you - free of charge!

Download free utility for decoding your corrupted files. The format of the command line when using this utility is the following:

te_decrypt.exe the_file_to_decrypt