Threat description


Category: Malware
Type: Rogue
Platform: W32
Aliases: Rogue:​W32/DatDoc


Deceptive antivirus software that pressures users into buying or installing it (e.g., infecting a computer; displaying false or alarming warnings or scanning results). Once installed, it may not function as claimed.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


More information on scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Rogue:W32/DatDoc is a "utility program" intended to decrypt files which have been previously encrypted by a separate program. It also appears able to perform other utility functions.The user was then pressured to download and execute this program in order to decrypt the affected files. A fee may be demanded for performing the decryption service.DatDoc is known to be downloaded onto the system by Trojan:W32/DatCrypt, which performs the preliminary encryption. Malware that engages in this type of behavior is known as Ransomware.


Once DatDoc is downloaded onto a system, the separate DatCrypt malware will launch DatDoc's installer. The installation process for the product requires the user's interaction.When using the utility to decrypt files, the user has the option of performing decryption on a single file, or on multiple files (full scan):

Unfortunately, if the user attempts to use the utility to decrypt multiple files, only the first selected file will be decrypted for free; the utility will then inform the user that decryption for additional files will require payment of a "fee". Further decryption is not performed until the fee is paid.

File System Changes

Creates these files:

  • %temp%\is-126AP.tmp\sample.tmp

Create these directories:

  • %temp%\is-126AP.tmp


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More