Thursday, September 13, 2012

Dorifel (aka Quervar, XDocCrypt)

Dorifel (aka Quervar, XDocCrypt) is a worm that is allegedly related to the Citadel trojan. Although it's been found worldwide, the Netherlands have been particularly affected by this piece of malware for the past several weeks.

Why is this noteworthy? Once executed, Dorifel will search for all Microsoft Word documents on your system, including network shares. The Word documents found are encrypted using the following hexadecimal RC4 key:

0d 0a 05 0f 59 7b 38 5a 5b 36 31 69 7e 0d 0d 09

Moreover, the virus body is prepended to the encrypted document and the two are separated by the string:

[+++scarface+++]

The initial infector has references to the TV series "Breaking Bad" and the movie "Scarface", as seen below (both in plaintext in the first screenshot, and in ROT13 in the second):
.





We've had ClamAV coverage for this destructive piece of malware in ClamAV as WIN.Worm.Dorifel for the last couple of weeks. Snort SIDs 24144 and 24145 will detect the binary coming in over standard file delivery mechanisms such as HTTP/SMTP/etc., and SIDs 24143 and 24146 look for post-compromise behavior.

No comments:

Post a Comment