Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

Instructions for users affected by Trojan.Encoder.12544

June 28, 2017

Trojan.Encoder.12544 spreads by exploiting the SMB v1 vulnerability - MS17-010 (CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148), which can be leveraged using the NSA "ETERNAL_BLUE" exploit. TCP ports 139 and 445 are used to disperse the Trojan. This “remote code execution” vulnerability enables attackers to remotely infect targeted computers.

  1. To regain access to Windows, you need to recover the MBR (you can use the standard procedure in the Recovery Console and launch bootrec.exe /FixMbr).

    You can also restore the boot record using Dr.Web LiveDisk — create a bootable CD or USB drive, boot up from that media, launch the Dr.Web scanner, check the compromised hard drive for viruses, and choose Cure for all the infected files.

  2. After that disconnect your PC from the network, boot up, and apply the patch MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

  3. Then install Dr.Web, establish a connection to the Internet, update the virus databases, and run a full system scan.

Trial for home users Trial for businesses

The Trojan replaces the MBR (Master Boot Record), and schedules and executes a system restart task. After that the OS won't boot up because the Master Boot Record has been compromised. Data starts being encrypted as soon as the system restart is scheduled. A separate AES key is generated for each drive. The key persists in the memory until the disk is completely encrypted. It is encrypted using a public RSA key and then deleted. If the MBR is replaced successfully, the MFT file is also encrypted once the system restarts. The file contains information about all the files on an NTFS drive. Once all these procedures are complete, the data can only be recovered using a private key. Therefore, without that key no files can be recovered.

As of now, decryption is not available. Our analysts are researching the problem and looking for a solution. We will notify you once a final determination has been made.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040