How to clean a Dorifel infection on your PC

Martin Brinkmann
Aug 14, 2012

The Dorifel worm has hit computer systems in the Netherlands and to a lesser degree other regions of the world for the last six days or so. According to research by Emsisoft and Kaspersky, the majority of systems infected seem to be located in government, public sector and company networks. Trojan-Ransom.Win32.Dorifel (Emsisoft) or Worm.Win32.Dorifel (Kaspersky) enters the infected systems with the help of the Citadel malware which is related to the Zeus family of malicious software.

Kaspersky's David Jacoby sees the point of entry in emails the malware is distributed with.  Dorifel itself will be copied into a directory under the user's user folder, and launched from there. A shortcut is generated in the same directory that is added to a Registry startup key so that it is always loaded on system start. They key the malware shortcut is added to is HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\.

Dorifel starts three background threads as soon as it is started on the system. The first scans the system for Word and Excel documents, and executable files. The second thread contacts a command server ever 30 minutes which may provide the malware with additional instructions in the near future. The third and final thread checks for the existence of a taskmgr.exe (Task Manager) process, and if it finds one, terminates itself automatically.

The thread that is scanning for documents and executables will create a copy of the original file, encrypt it and in the end delete the original document on the system. What's interesting is that encrypted documents can still be loaded, and that the documents will still display when that happens. In the background though the malware is installed if the system is not already infected with it.

What is likely going to happen is that at one point in time users will be asked to pay money to decrypt their encrypted documents.

Emsisoft has created a Dorifel encryption tool that you can use to decrypt files on infected systems. Just download and unpack the encryption tool to the desktop and run it from there. Once all documents have been decrypted, you can run an antivirus software that detects Citadel and Dorifel. All Kaspersky and Emsisoft programs, as well as others such as Hitman Pro do that. You can for instance use Emisoft's Emergency Kit 2.0, a free program, to clean the system.


Previous Post: «
Next Post: «


  1. sam said on August 22, 2012 at 8:14 am

    thank u for all the informative material you put out, many articles have been God send.
    now I have a question, read about the Dorifel infection, HMMMM may be, that is my problem,
    I turn the PC on,
    access Internet explorer8
    log on to facebook
    then I access zynga poker through facebook
    then Chaos takes place, The PC begins to slow down (lagging),
    PIX needs time to finish downloading
    and when i access the Task Mgr to see what is running, one process is running actively iexplore, very high numbers (total @ one time 3)and the processor at 100%
    I am using Norton Corporate, firewallMicrosoft, and I ahve nothing else that will get the processor humming.
    Your assistance is greatly appreciated and thanks again

  2. Wim said on August 15, 2012 at 12:25 pm

    I am from Holland,and i switched to Linux. Enough is enough!

  3. Dan said on August 15, 2012 at 11:48 am

    Sounds pretty awful… i haven’t seen it in my small area in the US. I have had a run in with the most terrible malware I’ve seen (maybe ever), Sirefef.
    Once discovered, it sends the computer in an every 60 second boot loop. Your only hope is to system restore quickly enough, or do a Windows repair.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.