According to Kaspersky Lab data, over 3,000 computer systems worldwide have been infected by Dorifel malware in the past few days. The malware encrypts documents on both the victim’s computer and on the organisation’s local network shares.
According to Kaspersky Lab data, over 3,000 computer systems worldwide have been infected by Dorifel malware in the past few days. The malware encrypts documents on both the victim’s computer and on the organisation’s local network shares. This malicious program began to spread in the Netherlands; with over 90 per cent of infected users being government and public sector organisations or businesses in that country. The number of infections in the Netherlands had reached 3,544 by 2.30pm GMT on 10thAugust 2012. Other countries with a large number of infections are Denmark, Philippines, Germany, United States and Spain. The malware continues to spread rapidly.
The above infection statistics were compiled by Kaspersky Lab experts after analysing one of the servers hosting Dorifel. An analysis of files hosted on the server has shown that computers infected by Dorifel may be infected with other malware, including malicious programs designed to steal financial information. This can be concluded from log files found on the server which contain financial information (credit card numbers, CCV codes and names).
Kaspersky Lab recommends that users pay close attention to suspicious files and avoid opening attachments in emails from organisations that have been affected by the virus. Make sure that your computer is protected with a modern security solution and that your system has all the latest security patches, not only for Windows but also for any third party software such as Java, because there may be similar attacks in the near future.
All users running Kaspersky Lab’s products are protected from this threat. For users who are not Kaspersky customers, it is recommended to download Kaspersky Virus Removal Tool from the website: http://www.kaspersky.com/virusscanner. Additionally, the company also advises blocking access to the following IP addresses: 184.82.162.163 and 184.22.103.202. If you see network traffic to these addresses it might be a strong indication that you are infected, and the trojan downloaders seem to download additional malware from these hosts.
Kaspersky Lab experts are working closely with various law enforcement agencies to shut Dorifel servers down.
Quick Facts:
- Dorifel malware is initially distributed in emails with infected attachments. Then, once the computer is infected, it spreads by infecting files on USB and network shares.
- It infects and encrypts files with the following extensions: DOC, DOCX, XLS, XLSX, EXE. It looks for these files on network shares and on any disk that does not contain the "System Volume Information" directory (such as USB sticks, external disks, etc.).
- The fact that many government and commercial organisations have been unable to access important documents on their computers indicates that the potential damage from Dorifel may be enormous. In addition, Kaspersky Lab found several new malicious files on the server hosting the Dorifel malware, as well as a large number of exploits, which could indicate that computers infected with Dorifel also have additional malware installed. It means an infection could jeopardise your financial information, encrypt your files and install backdoors on your computer.
For more information on Dorifel malware, please click here.
