April 19, 2012
This Trojan encoder version is the first one featuring the English interface and spreading widely outside Russia. First reports concerning Trojan.Encoder.94 from Western-European users were received on April 9-10 2012, mostly from Germany, Italy, Spain, England, Poland, Austria, Norway and Bulgaria.
The encoder searches for user's files, in particular, Microsoft Office documents, music, photos, images and archives on disks available in the infected system and then encrypts them. Once user files are encrypted , the Trojan displays a demand to pay 50 euros or pounds to criminals via Ukash or Paysafecard. Currently five English-language versions of the Trojan are known to Doctor Web. They differ only in the encryption keys but operate in a similar manner.
Recently, Doctor Web's technical support service has received requests related to Trojan.Encoder.94 from users living in Brazil, Argentina and other Latin American countries. The Trojan spread through Europe, including such countries as Croatia, Switzerland, Netherlands, Slovenia, Belgium, France, Hungary and Romania. Doctor Web's engineers managed to decrypt data for virtually all users' requests which indicates the high efficiency of technologies employed for this purpose.
The Slovenian branch of the Computer Emergency Response Team has been one of organizations that contacted Doctor Web to share encoder neutralization experience. Currently CERT has successfully joined the effort supported by technologies and information from Doctor Web to tackle the outbreak.
Doctor Web once again reminds users of the simple rules to follow if your computer has been infected with Trojan.Encoder.94:
- Never attempt to solve the problem by reinstallling the operating system.
- Do not delete any files from the heard drives.
- Do not try to restore the encrypted data on your own.
- Contact Doctor Web's technical support. When file a request, select Cure request. This service is provided free of charge.
- Attach a doc or. txt file encrypted by the Trojan to the ticket.
- Wait for a response from a virus analyst. Due to the large number of requests it may take some time.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.