June 28, 2017

Trojan.Encoder.12544 spreads by exploiting the SMB v1 vulnerability - MS17-010 (CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148), which can be leveraged using the NSA "ETERNAL_BLUE" exploit. TCP ports 139 and 445 are used to disperse the Trojan. This “remote code execution” vulnerability enables attackers to remotely infect targeted computers.

1. To regain access to Windows, you need to recover the MBR (you can use the standard procedure in the Recovery Console and launch bootrec.exe /FixMbr).

   You can also restore the boot record using Dr.Web LiveDisk — create a bootable CD or USB drive, boot up from that media, launch the Dr.Web scanner, check the compromised hard drive for viruses, and choose Cure for all the infected files.

2. After that disconnect your PC from the network, boot up, and apply the patch MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

   For computers running the obsolete Windows XP and Windows 2003 versions, you need to install the security updates manually. They can be downloaded from here:

   Windows XP SP3:

   download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-rus_84397f9eeea668b975c0c2cf9aaf0e2312f50077.exe

   Windows Server 2003 x86:

   download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-rus_62e38676306f9df089edaeec8924a6fdb68ec294.exe

   Windows Server 2003 x64:

   download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-rus_6efd5e111cbfe2f9e10651354c0118517cee4c5e.exe

3. Then install Dr.Web, establish a connection to the Internet, update the virus databases, and run a full system scan.

Trial for home users Trial for businesses

The Trojan replaces the MBR (Master Boot Record), and schedules and executes a system restart task. After that the OS won't boot up because the Master Boot Record has been compromised. Data starts being encrypted as soon as the system restart is scheduled. A separate AES key is generated for each drive. The key persists in the memory until the disk is completely encrypted. It is encrypted using a public RSA key and then deleted. If the MBR is replaced successfully, the MFT file is also encrypted once the system restarts. The file contains information about all the files on an NTFS drive. Once all these procedures are complete, the data can only be recovered using a private key. Therefore, without that key no files can be recovered.

As of now, decryption is not available. Our analysts are researching the problem and looking for a solution. We will notify you once a final determination has been made.