F-Secure
Tools
Trojan:W32/DatCrypt
| Name : | Trojan:W32/DatCrypt |
| Detection Names : | Gen:Trojan.Heur.mqW@vrF6mAoix Trojan.Win32.Pincav.nms |
| Aliases : | Trojan.Xrupter (Symantec) Generic.dx!jkx trojan (McAfee) |
| Category: | Malware |
| Type: | Trojan |
| Platform: | W32 |
Summary
Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.
Additional Details
Trojan:W32/DatCrypt drops a DLL file that encrypts files with specific extensions on the system.
The DLL then informs the user that the affected files should be decrypted with a certain "utility program", which it also attempts to download and install on the system.
A malware that engages in this type of behavior is known as Ransomware.
Execution
The DLL file is installed in the system32 folder with a random name. While active, the DLL searches the hard drive for files with the following extensions:
Many of these extensions are for Microsoft Office documents; the others are common media formats.
Files found are encrypted. The program then displays a message when the user clicks the encrypted file, informing them the file is 'corrupted':
Download
The DLL will display a system notification message related to the supposed file corruption:
When clicked, the message initiates a download of a "utility program" for decrypting the affected files. The download is from
The downloaded utility program is detected as Rogue:W32/DatDoc.
The DLL then informs the user that the affected files should be decrypted with a certain "utility program", which it also attempts to download and install on the system.
A malware that engages in this type of behavior is known as Ransomware.
Execution
The DLL file is installed in the system32 folder with a random name. While active, the DLL searches the hard drive for files with the following extensions:
• ppsm
• ppsx
• ppam
• potm
• potx
• pptm
• pptx
• xlam
• xlsb
• xltm
• xltx
• xlsm
• xlsx
• dotm
• dotx
• docm
• docx
• ppt
• xls
• doc
• pst
• mdb
• wma
• mp3
• png
• jpeg
• jpg
• pdf
Many of these extensions are for Microsoft Office documents; the others are common media formats.
Files found are encrypted. The program then displays a message when the user clicks the encrypted file, informing them the file is 'corrupted':
Download
The DLL will display a system notification message related to the supposed file corruption:
When clicked, the message initiates a download of a "utility program" for decrypting the affected files. The download is from
• http://datahelpercorp.com/[...].exe
The downloaded utility program is detected as Rogue:W32/DatDoc.