home-Good to know-Trojan encoder. What is this? How to treat? Where to run? Dr.Web - library of free utilities Instructions for use

Trojan encoder. What is this? How to treat? Where to run? Dr.Web - library of free utilities Instructions for use

Based on a preliminary analysis of the malware, Doctor Web provides recommendations on how to avoid infection, tells what to do if infection has already occurred, and reveals the technical details of the attack.

The Trojan.Encoder.12544 encryption worm, which has caused a lot of noise, poses a serious threat to personal computers running Microsoft Windows. Various sources call it a modification of the Trojan known as Petya (Trojan.Ransom.369), but Trojan.Encoder.12544 has only some similarities with it. This malicious program penetrated the information systems of a number of government agencies, banks and commercial organizations, and also infected the PCs of users in several countries.

It is currently known that the Trojan infects computers using the same set of vulnerabilities that were previously used by attackers to infiltrate the computers of victims of the WannaCry Trojan. Mass distribution of Trojan.Encoder.12544 began in the morning of June 27, 2017. When launched on the attacked computer, the Trojan searches for available PCs on the local network in several ways, after which it begins scanning ports 445 and 139 using the list of received IP addresses. Having detected machines on the network on which these ports are open, Trojan.Encoder.12544 tries to infect them with exploiting a well-known vulnerability in the SMB protocol (MS17-10).

In its body, the Trojan contains 4 compressed resources, 2 of which are 32- and 64-bit versions of the Mimikatz utility, designed to intercept passwords for open sessions in Windows. Depending on the bitness of the OS, it unpacks the corresponding version of the utility, saves it in a temporary folder, and then launches it. Using the Mimikatz utility, as well as two other methods, Trojan.Encoder.12544 obtains a list of local and domain users authorized on the infected computer. Then it looks for writable network folders, tries to open them using the received credentials and saves its copy there. To infect computers that it manages to gain access to, Trojan.Encoder.12544 uses the remote computer control utility PsExec (it is also stored in the Trojan's resources) or a standard console utility to call Wmic.exe objects.

The encoder controls its restart using a file it saves in the C:\Windows\ folder. This file has a name that matches the Trojan's name without the extension. Since the worm sample currently being distributed by attackers is named perfc.dat, the file that prevents it from running again will be named C:\Windows\perfc. However, as soon as attackers change the original name of the Trojan, creating a file in the C:\Windows\ folder with the name perfc without an extension (as some antivirus companies advise) will no longer save the computer from infection. In addition, the Trojan checks for the presence of a file only if it has sufficient privileges in the operating system to do so.

After starting, the Trojan configures its privileges, loads its own copy into memory and transfers control to it. The encoder then overwrites its own disk file with junk data and deletes it. First of all, Trojan.Encoder.12544 corrupts the VBR (Volume Boot Record) of the C: drive; the first sector of the disk is filled with garbage data. The ransomware then copies the original Windows boot record to another part of the disk, having previously encrypted it using the XOR algorithm, and writes its own in its place. Next, it creates a task to restart the computer and begins to encrypt all files with the extensions .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, detected on local physical disks. .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx , .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, . pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip.

The Trojan encrypts files only on fixed computer drives; data on each drive is encrypted in a separate stream. Encryption is carried out using AES-128-CBC algorithms; each disk has its own key (this is a distinctive feature of the Trojan that has not been noted by other researchers). This key is encrypted using the RSA-2048 algorithm (other researchers have reported using an 800-bit key) and is saved to the root folder of the encrypted drive in a file named README.TXT. Encrypted files do not receive an additional extension.

After completing the previously created task, the computer reboots and control is transferred to the Trojan boot record. It displays text on the screen of an infected computer that resembles a message from the standard CHDISK disk scanning utility.

At this time, Trojan.Encoder.12544 encrypts MFT (Master File Table). Having completed encryption, Trojan.Encoder.12544 displays on the screen the attackers’ demand for payment of a ransom.

If at the time of startup a message appears on the screen about launching the CHDISK utility, immediately turn off the power of the PC. The boot record in this case will be damaged, but it can be fixed using the Windows Recovery Utility or the Recovery Console by booting from the distribution disk. Restoring the boot record is usually possible in Windows OS versions 7 and later, if the disk has a hidden partition used by the system with a backup copy of data critical for Windows operation. In Windows XP, this boot recovery method will not work. You can also use Dr.Web LiveDisk for this - create a bootable disk or flash drive, boot from this removable device, launch the Dr.Web scanner, scan the affected disk, select the “Disarm” function for the detected threats.

According to reports from various sources, the only email account used by Trojan.Encoder.12544 distributors is currently blocked, so they are basically unable to contact their victims (to, for example, offer file decryption).

In order to prevent infection by the Trojan.Encoder.12544 Trojan, Doctor Web recommends promptly creating backup copies of all critical data on independent media, as well as using the “Data Loss Prevention” function of Dr.Web Security Space. In addition, you must install all operating system security updates. Doctor Web specialists continue to investigate the Trojan.Encoder.12544 ransomware.

Hi all! Today I want to highlight one problem associated with a malicious program that encrypts files on your computer. There is a problem after which requests like “Help! The virus has encrypted the files,” the same question plagues many computer technicians, who sometimes even try to help, but end up using what is described below. What should you really do if a virus has encrypted files on your computer?! Read the article to the end, listen to what is written, calm down and begin to act. Go!

Encryptors are varieties of the trojan encoder family (this is how dr. web classifies them, for example). The ransomware program itself is often caught after some time by the antivirus if it missed it. But the consequences of her work are depressing. What to do if you become a victim of this kind of crap? Let's figure it out. First, you need to know roughly how the enemy works in order to stop burdening everyone and everything with stupid questions in the hope that a shaman with a tambourine will appear and solve your problem instantly. So, the virus uses asymmetric keys, as far as I know, otherwise there would not be so many problems with it. Such a system uses two keys, one of which encrypts, the other decrypts. Moreover, the first is calculated from the second (but not vice versa). Let's try to visualize this and what is called on our fingers. Let's look at a couple of pictures that clearly demonstrate the process of encryption and decryption.

We will not go into details about how the public key is generated. These two pictures clearly demonstrate the process of encryption and then decryption, it’s like closing a door and then opening it. What is the real problem with an encryption virus? The problem is that you don't have any key at all. The intruder has the keys. And the encryption algorithms using this technology are made very cleverly. You can somehow get the public key by examining the file, but that doesn't make sense because you need the private key. But there's a problem with him. Even after knowing the public key, it is almost impossible to obtain the secret key. It is clear that in films and books, as well as stories from friends and acquaintances, there are some super-duper hackers who, with a wave of their little finger over the keyboard, will decipher everything, hack everything head-on, but in the real world everything is not so simple. I will say that this problem cannot be solved head-on, period.

And now about what to do if you catch this nasty thing. You don't have many options. The most common thing is to contact the author by email, which he will kindly provide you with on the new desktop wallpaper, and will also write in the name of each damaged file. Be careful, otherwise you will not receive any files or money. Option two is antivirus companies, in particular Dr. Web. Please contact technical support at https://support.drweb.ru/new/free_unlocker/for_decode/?lng=ru. Go through the points that are required and voila. There is really one But! You must use a licensed antivirus from Doctor Web; if you do not have one, you will need to purchase a license. If successful, your request will be sent to the company’s technical support service, and then wait for a response. Please pay special attention that this method does not provide a 100% guarantee of complete decryption of all files, this is due to the fact that not all keys and algorithms are available. Other antivirus companies also perform decryption under similar conditions. The third option is to contact law enforcement. By the way, if you create a request to the Doctor Web company, even they will tell you about it. Option three may be protracted and unsuccessful (just like the first two), but if successful, the attacker will be punished and will harm people less, and the key will be handed over to antivirus companies. There is also a fourth option - to try unsuccessfully to find the miracle of a master who will decipher it in some top-secret way. Go ahead guys! But think about it! If antivirus companies do not give a 100% guarantee and recommend contacting the police, then what else should you look for? Don't waste your time and money, be realistic.

Let me summarize. Unfortunately, many people are offended by the experts who send them to the police or an antivirus company, begging them to help, but our dear users, understand that the experts are not omnipotent, and here you need excellent knowledge in cryptography, and they are unlikely to help. Therefore, use the three above methods, but be careful with the first (as a last resort), it’s better to contact the authorities, and at the same time try to save at least something with the help of specialists from an antivirus company.
Yes, by the way, contacting the police will help other victims, and if everyone tries to do this, such infections will become much less, so think not only about yourself but also about other people. And also be prepared for the fact that perhaps no one else except the author of the virus will solve your problem! Therefore, draw an important conclusion for yourself and store valuable files in several copies on different devices or use cloud services.

If the system is infected with malware from the Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom families. Win32.CryptXXX, all files on the computer will be encrypted as follows:

  • When Trojan-Ransom.Win32.Rannoh is infected, the names and extensions will change according to the pattern locked-<оригинальное_имя>.<4 произвольных буквы>.
  • When Trojan-Ransom.Win32.Cryakl is infected, a label (CRYPTENDBLACKDC) is added to the end of the file contents.
  • When infected with Trojan-Ransom.Win32.AutoIt, the extension changes according to the template<оригинальное_имя>@<почтовый_домен>_.<набор_символов>.
    For example, [email protected] _.RZWDTDIC.
  • When infected with Trojan-Ransom.Win32.CryptXXX, the extension changes according to patterns<оригинальное_имя>.crypt,<оригинальное_имя>.crypz and<оригинальное_имя>.cryp1.

The RannohDecryptor utility is designed to decrypt files after infection with Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan- Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1, 2 and 3.

How to cure the system

To cure an infected system:

  1. Download the RannohDecryptor.zip file.
  2. Run RannohDecryptor.exe on the infected machine.
  3. In the main window, click Start checking.
  1. Specify the path to the encrypted and unencrypted file.
    If the file is encrypted with Trojan-Ransom.Win32.CryptXXX, specify the largest file size. Decryption will only be available for files of equal or smaller size.
  2. Wait until the end of the search and decryption of encrypted files.
  3. Restart your computer if required.
  4. after locked-<оригинальное_имя>.<4 произвольных буквы>To delete a copy of encrypted files after successful decryption, select .

If the file was encrypted by Trojan-Ransom.Win32.Cryakl, the utility will save the file in its old location with the extension .decryptedKLR.original_extension. If you have chosen Delete encrypted files after successful decryption, the transcribed file will be saved by the utility with the original name.

  1. By default, the utility outputs a work report to the root of the system disk (the disk on which the OS is installed).

    The report name is as follows: UtilityName.Version_Date_Time_log.txt

    For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

On a system infected with Trojan-Ransom.Win32.CryptXXX, the utility scans a limited number of file formats. If a user selects a file affected by CryptXXX v2, restoring the key may take a long time. In this case, the utility displays a warning.

Experts from the anti-virus company Doctor Web have developed a technique for decrypting files that have become inaccessible as a result of the action of a dangerous encoder Trojan Trojan.Encoder.2843, known to users as “Vault”.

This version of the encryptor, which according to the Dr.Web classification received the name Trojan.Encoder.2843, is actively distributed by attackers using mass mailings. A small file containing a JavaScript script is used as an attachment to letters. This file extracts the application, which performs the remaining actions necessary to ensure the operation of the encoder. This version of the ransomware Trojan has been distributed since November 2, 2015.

The operating principle of this malicious program is also very interesting. An encrypted dynamic link library (.DLL) is written to the Windows system registry, and the Trojan embeds a small code into the running explorer.exe process, which reads the file from the registry into memory, decrypts it, and transfers control to it.

List of encrypted files Trojan.Encoder.2843 also stores in the system registry and uses a unique key for each of them, consisting of capital Latin letters. File encryption is carried out using Blowfish-ECB algorithms, the session key is encrypted using RSA using the CryptoAPI interface. Each encrypted file is assigned a .vault extension.

Doctor Web specialists have developed a special technique that, in many cases, allows you to decrypt files damaged by this Trojan. If you are a victim of malware Trojan.Encoder.2843, use the following recommendations:

  • file a corresponding complaint with the police;
  • Do not under any circumstances try to reinstall the operating system, “optimize” or “clean” it using any utilities;
  • do not delete any files on your computer;
  • do not try to recover encrypted files yourself;
  • contact Doctor Web technical support (this service is free for users of Dr.Web commercial licenses);
  • Attach any Trojan-encrypted file to the ticket;
  • wait for a response from a technical support specialist; Due to the large number of requests, this may take some time.

We remind you that file decryption services are provided only to holders of commercial licenses for Dr.Web anti-virus products. Doctor Web does not fully guarantee the decryption of all files damaged as a result of the encoder, however, our specialists will make every effort to save the encrypted information.

Related publications: