Trojan:W32/DatCrypt drops a DLL file that encrypts files with specific extensions on the system.
The DLL then informs the user that the affected files should be decrypted with a certain "utility program", which it also attempts to download and install on the system.
A malware that engages in this type of behavior is known as Ransomware.Execution
The DLL file is installed in the system32 folder with a random name. While active, the DLL searches the hard drive for files with the following extensions:
Many of these extensions are for Microsoft Office documents; the others are common media formats.
Files found are encrypted. The program then displays a message when the user clicks the encrypted file, informing them the file is 'corrupted':
The DLL will display a system notification message related to the supposed file corruption:
When clicked, the message initiates a download of a "utility program" for decrypting the affected files. The download is from
The downloaded utility program is detected as Rogue:W32/DatDoc