The Dorifel worm has hit computer systems in the Netherlands and to a lesser degree other regions of the world for the last six days or so. According to research by Emsisoft and Kaspersky, the majority of systems infected seem to be located in government, public sector and company networks. Trojan-Ransom.Win32.Dorifel (Emsisoft) or Worm.Win32.Dorifel (Kaspersky) enters the infected systems with the help of the Citadel malware which is related to the Zeus family of malicious software.
Kaspersky's David Jacoby sees the point of entry in emails the malware is distributed with. Dorifel itself will be copied into a directory under the user's user folder, and launched from there. A shortcut is generated in the same directory that is added to a Registry startup key so that it is always loaded on system start. They key the malware shortcut is added to is HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\.
Dorifel starts three background threads as soon as it is started on the system. The first scans the system for Word and Excel documents, and executable files. The second thread contacts a command server ever 30 minutes which may provide the malware with additional instructions in the near future. The third and final thread checks for the existence of a taskmgr.exe (Task Manager) process, and if it finds one, terminates itself automatically.
The thread that is scanning for documents and executables will create a copy of the original file, encrypt it and in the end delete the original document on the system. What's interesting is that encrypted documents can still be loaded, and that the documents will still display when that happens. In the background though the malware is installed if the system is not already infected with it.
What is likely going to happen is that at one point in time users will be asked to pay money to decrypt their encrypted documents.
Emsisoft has created a Dorifel encryption tool that you can use to decrypt files on infected systems. Just download and unpack the encryption tool to the desktop and run it from there. Once all documents have been decrypted, you can run an antivirus software that detects Citadel and Dorifel. All Kaspersky and Emsisoft programs, as well as others such as Hitman Pro do that. You can for instance use Emisoft's Emergency Kit 2.0, a free program, to clean the system.
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.