Library
My library

+ Add to library

Profile

Trojan.Encoder.398

Added to the Dr.Web virus database: 2014-01-15

Virus description added:

An encryption ransomware written in Delphi. Apparently, this Trojan is a modification of Trojan.Encoder.225. The malware receives the encryption keys from the server.

Once launched for the first time, Trojan.Encoder.398 copies itself with the ID.exe name (ID stands for the hard drive serial number) to the %APPDATA%\ID\ folder. Then it displays a message informing the user that the archive is damaged and runs its copy from the C:\ directory terminating the work of the original file.

The Trojan’s copy looks for the %APPDATA%\ID directory, gets the hard disk serial number and sends it to the server using the InternetOpenUrlA feature. In reply, the Trojan receives an XML configuration file containing the following encryption parameters: cybercriminals’ email address, the encryption key, the encryption algorithm number, and part of file name extensions of the encrypted files (the ext parameter).

Once the variables are initialized, the file encryption begins. Only fixed drives are encrypted (DRIVE_FIXED). The Trojan does not encrypt files in the following directories:

$RECYCLE.BIN, Windows,Program Files (x86), Program Files, Games, ProgramData, UpdatusUser, AppData, Application Data, Cookies, Local Settings, NetHood, PrintHood, Recent, SendTo, Main Menu (“Главное меню”), Searches (“Поиски”), Links (“Ссылки”), System Volume Information, Recovery, NVIDIA, Intel, DrWeb Quarantine, Config.Msi, All Users, All Users (“Все пользователи”).

The malware saves the “HOW_TO_DECRYPT_YOUR_FILES.txt” file (“КАК_PАЗБЛOКИРOВАТЬ_ВАШИ_ФAЙЛЫ.txt”) with the following contents to every directory:

All files on your computer have been encrypted with a crypto-secure algorithm.

To decrypt the files, you must have a decryptor and a unique password.

You can purchase the decryptor within the next 7 days. If you do not make the purchase during the specified period, the decryption password will be deleted from the base and decryption will be impossible.

To purchase the decryptor, send a message to mrcrtools@aol.com.

If you want to make sure that we have the decryptor, attach any encrypted file (except for databases) to your message and we will send you its decrypted version.

The decryptor costs 5,000 rubles. We will inform you regarding payment methods in the reply to your message.

Contact email address—mrcrtools@aol.com

The Trojan can encrypt files with the following extensions:

ak|.BAK|.rtf|.RTF|.pdf|.PDF|.mdb|.MDB|.b2|.B2|.mdf|.MDF|.accdb|.ACCDB|.eap|.EAP|.swf|.SWF|
.svg|.SVG|.odt|.ODT|.ppt|.PPT|.pptx|.PPTX|.xps|.XPS|.xls|.XLS|.cvs|.CVS|.dmg|.DMG|.dwg|.DWG|
.md|.MD|.elf|.ELF|.1CD|.1cd|.DBF|.dbf|.jpg|.JPG|.jpeg|.JPEG|.psd|.PSD|.rtf|.RTF|.MD|.dt|.DT|
.cf|.CF|.max|.MAX|.dxf|.DXF|.dwg|.DWG|.dds|.DDS|.3ds|.3DS|.ai|.AI|.cdr|.CDR|.svg|.SVG|
.txt|.TXT|.csv|.CSV|.7z|.7Z|.tar|.TAR|.gz|.GZ|.bakup|.BAKUP|.djvu|.DJVU|

The malware can use the following encryption algorithms (in the following order):

  1. DES
  2. RC2
  3. RC4
  4. RC5
  5. RC6
  6. 3DES
  7. Blowfish
  8. AES (Rijndael)
  9. ГОСТ 28147-89
  10. IDEA
  11. Tea
  12. CAST-128
  13. CAST-256
  14. ICE
  15. Twofish
  16. Serpent
  17. MARS
  18. MISTY1

The encryption routine is selected based on the parameter specified in the configuration file.

Once the first encryption cycle is complete, the Trojan initiates the second cycle to encrypt 1C databases from Program Files and Program Files (x86).

Files with the following extensions can be encrypted:

|.dbf|.DBF|.1cd|.1CD|.dt|.DT|.md|.MD|.dds|.DDS|

The Trojan has different modifications. Some of them look as follows:

  1. Using back_files@aol.com

    The malware saves the file with the following message to the hard drive:

    All files on your computer have been encrypted.
    To decrypt the files, you must purchase a decryptor and a unique password.
    You can purchase the decryptor for 5,000 rubles by sending a message to back_files@aol.com.
    If you want to make sure that we have the decryptor, attach any encrypted file (except for databases) to your message and we will send you its original version.

  2. Using backyourfile@aol.com

    Once launched for the first time, the Trojan adds the following parameters to the Software\ENCRYPTOR registry key:

    • files—path to the text file containing the list of all encrypted files,
    • hid—hard drive serial number,
    • inst—set up flag (true/false),
    • mg—path to the HTML file containing cybercriminals’ demands,
    • p—path to the encoder’s executable file,
    • w—path to the image with cybercriminals’ demands.

    Then it places an HTML file with the following contents in the startup folder:

    All files on your computer have been encrypted with a crypto-secure algorithm.
    It is impossible to decrypt the files without a unique password!
    Any attempt to decrypt a file without the password will lead to its permanent damage!
    The decryptor costs 5,000 rubles.
    You can purchase the decryptor and the password by sending a message to
    backyourfiles@aol.com.
    If you want to make sure that we can decrypt your files, attach any encrypted file to your message and we will decrypt it.

    The Trojan sets the following image as a desktop background:

    Files with the following extensions can be encrypted:

    *.odt,*.ods,*.odp,*.odb,*.doc,*.docx,*.docm,*.wps,*.xls,*.xlsx,*.xlsm,*.xlsb,*.xlk,*.ppt,*.pptx,*.pptm,
    *.mdb,*.accdb,*.pst,*.dwg,*.dxf,*.dxg,*.wpd,*.rtf,*.wb2,*.mdf,*.dbf,*.psd,*.pdd,*.eps,*.ai,*.indd,*.cdr,
    *.jpg,*.jpeg,*.arw,*.dng,*.3fr,*.srf,*.sr2,*.bay,*.crw,*.cr2,*.dcr,*.kdc,*.erf,*.mef,*.mrw,*.nef,*.nrw,*.orf,
    *.raf,*.raw,*.rwl,*.rw2,*.r3d,*.ptx,*.pef,*.srw,*.x3f,*.der,*.cer,*.crt,*.pem,*.p12,*.p7b,
    *.pdf,*.p7c,*.pfx,*.odc,*.rar,*.zip,*.7z,*.png,*.backup,*.tar,*.eml,*.1cd,*.dt,*.md,*.dds

    The malware can use the following encryption algorithms (in the following order):

    1. Blowfish
    2. CAST-128
    3. CAST-256
    4. DES
    5. ГОСТ 28147-89
    6. ICE
    7. IDEA
    8. MARS
    9. MISTY1
    10. 3DES
    11. RC4
    12. RC5
    13. RC6
    14. AES (Rijndael)
    15. Serpent
    16. TEA
    17. Twofish
    18. RC2
  3. Using vernut2014@qq.com

    Once the Trojan is launched, the “File is damaged” message is displayed on the screen. The malware creates the HKCU\Software\LIMITED key in the Windows system registry and saves the following parameters there:

    • pth—path to the Trojan’s executable file,
    • installd (possible value—true),
    • wall—path to the image displaying cybercriminals’ demands,
    • msge—path to the HTML file containing cybercriminals’ demands (this path is also saved to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run branch),
    • files—path to the text file containing cybercriminals’ demands,
    • huid—infected computer ID.

    Then the Trojan saves the files with random names to the %APPDATA% directory’s subfolders whose names are assigned randomly too.

  4. Using yourfiles2014@yahoo.com

    The Trojan places an HTML file with the following contents in the startup folder:

    All files on your computer have been encrypted with a crypto-secure algorithm!!!
    It is impossible to decrypt the files without a unique password!
    Any attempt to decrypt a file without the password will lead to its permanent damage!
    The decryptor costs 5,000 rubles.
    You can purchase the decryptor and the password by sending a message to
    yourfiles2014@yahoo.com.
    If you want to make sure that we can decrypt your files, attach any encrypted file to your message and we will send you its original copy.

    The Trojan sets the following image as a desktop background:

  5. Using restorefiles2014@yahoo.fr

    The Trojan places an HTML file with the following contents in the startup folder:

    All files on your computer have been encrypted with a crypto-secure algorithm. It is impossible to decrypt the files without a unique password and not knowing the encryption type!
    Any attempt to change a file name, file structure, or decrypt a file using decryptors available on the Internet will lead to its permanent damage.
    The decryptor costs 5,000 rubles.
    You can purchase the decryptor and the password by sending a message to
    restorefiles2014@yahoo.fr.
    If you want to make sure that we have the decryptor, attach any encrypted file to your message and we will send you its original version.

    The Trojan sets the following image as a desktop background:

  6. Using filescrypt2014@foxmail.com

    Currently, data encrypted by any Trojan belonging to the Trojan.Encoder.398 family can be fully recovered with a success probability of 90 per cent.

News about this threat

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android