Our researcher Adam Thomas came across a new piece of ransomware today, an encryption trojan via our old “friends” iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it.
It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware.
1. The victim receives a message that the system is shutting down due to “Unrecognized disk driver command.”
2. His system is then re-booted to safe mode and a message is displayed: “Windows has recovered from a serious error. Some files can be corrupted. Disk checking is strongly recommended.”
3. Attempting to access a file, the victim receives the message “Unable to open the file due to data corruption”. The repair file button downloads Data Doctor 2010, which of course runs in trial mode. It does, however, offer to repair one (1) file for you so you know it is “legitimate.”
And, the pitch: pay $89.95 for a lifetime license. Additionally, these slime have the audacity to tack on a $1.50 activation fee.
Nice work Adam
Update: Jan. 6, 2010:
A blog reader has asked if we have a way to decrypt the files that Data Doctor 2010 encrypts. We have posted a tool that will do that. Go to: http://sunbelt-software.com/support/dd2010_decrypter.rar
Update 01/08:
Our good friends at F-Secure have posted a very good, detailed analysis of Data Doctor 2010. It can be found at: http://www.f-secure.com/weblog/archives/00001850.html
Tom Kelchner