Home / malware Trojan:W32/DatCrypt
First posted on 08 January 2010.
Source: SecurityHomeAliases :
Trojan:W32/DatCrypt is also known as Trojan.Xrupter (Symantec), Generic.dx!jkx trojan (McAfee).
Explanation :
Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.
Additional DetailsTrojan:W32/DatCrypt drops a DLL file that encrypts files with specific extensions on the system.
The DLL then informs the user that the affected files should be decrypted with a certain "utility program", which it also attempts to download and install on the system.
A malware that engages in this type of behavior is known as Ransomware.
Execution
The DLL file is installed in the system32 folder with a random name. While active, the DLL searches the hard drive for files with the following extensions:
€ ppsm € ppsx € ppam € potm € potx € pptm € pptx € xlam € xlsb € xltm € xltx € xlsm € xlsx € dotm € dotx € docm € docx € ppt € xls € doc € pst € mdb € wma € mp3 € png € jpeg € jpg € pdf
Many of these extensions are for Microsoft Office documents; the others are common media formats.
Files found are encrypted. The program then displays a message when the user clicks the encrypted file, informing them the file is 'corrupted':
Download
The DLL will display a system notification message related to the supposed file corruption:
When clicked, the message initiates a download of a "utility program" for decrypting the affected files. The download is from
€ http://datahelpercorp.com/[...].exe
The downloaded utility program is detected as Rogue:W32/DatDoc.Last update 08 January 2010