When the computer is infected in the Windows system register, an encrypted dynamic library is recorded .DLL, and in the neglected process Explorer.EXE is a special code that reads the file from the registry to memory that deciphers it and transfers it to it. The Trojan application also stores the list of encrypted files in the registry of the operating system, for each file a unique key is used, consisting of title Latin letters. It is noted that file encryption occurs using the BlowFish-ECB algorithm, and encryption of the session key is carried out using RSA using the CryptoAPI interface. Each file that was encrypted has an extension .vault.
Work table of an infected computer
If you have become a victim of a malicious Trojan program.Encoder.2843, it is recommended not to reinstall the operating system and not delete any files on the computer. First of all, you need to write to the technical support service «Doctor Web», Putting any encrypted file to the letter, and wait for an answer. This service is free for all users of commercial licenses of antivirus solutions DR. Web. It is also recommended to write an application to the police, an example of an application can be downloaded on the site «Doctor Web».
Source:
- Dr.Web