Friday, August 10, 2012

A word on XDocCrypt/Dorifel/Quervar

I'm sure everyone has heard by now about the so called XDocCrypt/Dorifel/Quervar malware.

It has mostly damaged machines in The Netherlands, but reports have come in from other countries (including the United States) as well. I myself have seen this infection on 08/08/2012, my initial thought was: ransomware. However, there isn't any message displayed, so it's either a failed ransomware attempt or the malware simply wants to annoy users.

This virus infects Office files, reverses the extension and adds “.scr” behind it (this is also known as the RTLO unicode hole, which makes it easy to hide the original file extensions. - I remember a blogpost from not too long, about this hole targeting users of the Arabic language, let me know if you find it - ). Renaming does not solve the issue, you cannot open the documents.



Office files affected by the malware


As is depicted in the figure above, Word and Excel files have their extension reversed, so now the files appear to be .scr files, which is the format for a Screensaver. The .jpg file is not affected in any way.

The files are encrypted with RC4, which is a very common encryption algorithm in the cryptography. SurfRight has developed a tool to decrypt (and recover) your files:
Dorifel decrypter



The malware has probably been downloaded by the Citadel or Zeus (aka Zbot) malware.


Zeus sample:

remyf.exe
Result: 12/42
MD5: 30e7785cb9eafcea34fe930631fbba07
VirusTotal Report
Anubis Report



Let's take a look at a few Dorifel samples:

Acquisit.exe
Result: 15/42
MD5: d913394b8011b317f6d916507ffb7f2f
VirusTotal Report
Anubis Report


gis-woz4_v8.exe
Result: 12/42
MD5: a311cd6f67cb112cba78a27b87320fc3
VirusTotal Report
Anubis Report


DGRAYP.exe
Result: 24/42
MD5: f05f4f5be8431f746e59fe409a0b9bb1
VirusTotal Report
Anubis Report


Y6TK9B.exe
Result: 11/42
MD5: c1fa3618d7b54ab6a7a25857d7b30b3c
VirusTotal Report
Anubis Report



The malware tries to connect to one of the following IP addresses:
184.82.162.163 - IPvoid result
184.22.103.202 - IPvoid result


Where it will attempt to download the following file:

a.exe
Result: 13/42
MD5: 493887a87cd95b004f9ffbbaaecd1ac6
VirusTotal Report
Anubis Report



I haven't taken an in-depth look at it, but besides encrypting your Office files, I have seen the malware will kill itself when you open up Task Manager. Not sure what the point is there. It also doesn't seem to start up again automatically.

It does create an .lnk file to the dropped malware and puts that as an autorun entry, so it will start every time the machine starts.



Conclusion

The infection vector (how it spreads) is via phishing or spam email, so as usual:

- Don't open attachments from unknown senders - ever.
- Some antivirus already detected Dorifel generically, so update your antivirus.

- If you're in a corporate network, use a strong spamfilter. It will prevent a lot of troubles if correctly configured.
- Educate your users: raise the general awareness. Not even a spamfilter stops 100% of all the spam, there's always a chance something slips through.




Thanks to @erikremmelzwaal from Medusoft for most of the samples.

External sources:

2 comments:

  1. some days ago, my friend sent me a sample file which infected by dorifel before.
    and the file has been cleaned by a local antivirus, but it's contents not readable

    how to decrypt it to normal condition?

    ReplyDelete
    Replies
    1. Hi Anonymous,

      Depends highly on the sort of encryption the AV used and which AV it was exactly.

      An option would be to restore the file from within the AV, this way it will revert back to its original state (which would be still infected by Dorifel though).

      Cheers!

      Delete