Trojan:W32/DatCrypt drops a DLL file that encrypts files with specific extensions on the system. The DLL then informs the user that the affected files should be decrypted with a certain "utility program", which it also attempts to download and install on the system.A malware that engages in this type of behavior is known as ransomware.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The DLL file is installed in the system32 folder with a random name. While active, the DLL searches the hard drive for files with the following extensions:
Many of these extensions are for Microsoft Office documents; the others are common media formats.Files found are encrypted. The program then displays a message when the user clicks the encrypted file, informing them the file is 'corrupted':
The DLL will display a system notification message related to the supposed file corruption:
When clicked, the message initiates a download of a "utility program" for decrypting the affected files. The download is from
The downloaded utility program is detected as Rogue:W32/DatDoc.