There is a new version signalled from the Dorifel-virus, last month, damage havoc with a number of organisations in the Netherlands, including ministries and provinces. The new version of the virus is difficult to detect.
The new Dorifel-virus was discovered by beveiligingsonderzoeker Mark Loman, ceo of Surfright. The new version is encrypted, unlike the original virus. Therefore, it is more difficult to recognize for virus scanners; only 3 out of 42 tested virus scanners would make the new version recognize. According to Loman has the virus on every pc that it infects a other hash; this makes it difficult for antivirus companies to have definitions for the malware is detected.
About twenty minutes after installation, download the new version of Dorifel according to Loman, a rootkit that removal more complicated. Also is ransomware downloaded. Users get a window to see that so-called Buma/Stemra originates, where it is reported that she illegally downloaded and therefore a fine of 100 euros to pay. Does a user that does not, then he gets no access to his computer and files.
The previous version of Dorifel did something similar, including Word and Excel documents were inaccessible. It was, for unclear reasons, however, no similar notification will be displayed. Therefore, it was long unclear why the malware, the documents are mutilated. Perhaps the warning when accidentally not shown.
According to Loman, the developer of the malware code is cleaned up and is now, for example, are less often communicated with the command-and-control server which the malware new instructions can send. Those instructions are in the new version hidden in an image of Muhammad Ali.
How many people have already been infected with the new Dorifel-version, is unclear. “I have the National Cyber Security Centre is already informed of it,” says Loman. He is still investigating whether there are in the Netherlands, infections. Spokeswoman Mary-Jo van de Velde of the NCSC says that there are still no reports have come about infected pc’s with the government.
Security software that Lomans company has developed HitmanPro, you can delete the malware. Earlier resurfaced, a new version of the malware in the United States. According to security company Digital Investigation, it is recommended to set the ip address 91.220.35.61 in the firewall to block, as well as the domain names open-consulting-company.com and oianowifna.ru. That will probably be used in order to spread malware or serve as the command and controlserver.
Images: Mark Loman