Symantec calls this Trojan.GpCoder; Dr Web calls it Trojan.Encoder.94; Trendmicro calls it Troj_Ransom.BXA; McAfee probably calls it GpCoder-dot-something.
The encryption is not over-complicated : it's TEA.
There's a full analysis of an earlier version of this, complete with source code, at
The first fix provided for this variant may not work if the encryption has changed, so the best advice I can give is for you to contact the Russian company which has been providing the fixes and submit a sample file for analysis. They will then provide you with the key to decrypt the files.
Advice from the Google forum discussion thread at https://productforums.google.com/forum/#!topic/gmail/qo0xd0MM1Z8:
That email address above is https://vms.drweb.com/sendvirus/?lng=en
Dr Web have a page on Trojan.Encoder.94 at http://news.drweb.com/show/?i=2356&lng=en&c=14 :
To minimize the damage from an infection by Trojan.Encoder.94, Doctor Web recommends users to back up all the files they need for their work. If your files have been compromised by the Trojan, use the following guidelines to avoid possible data losses:
Technical InformationMalicious functions:
Executes the following:
- <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.hdmp 16325836412027092
- <SYSTEM32>\rundll32.exe <SYSTEM32>\sysdm.cpl,NoExecuteProcessException %WINDIR%\explorer.exe
- <SYSTEM32>\dumprep.exe 2860 -dm 7 7 %TEMP%\WER9c75.dir00\explorer.exe.mdmp 16325836412027072
Modifies file system :
Creates the following files:
A full list of files which are modified by this Trojan, and Registry keys which are created or modified, can be found at
- scroll down to about two-thirds of the way down the webpage to find the list.
After running the fix from Dr Web you will need to run a Malwarebytes or a similar program to remove the traces of infection. I don't know whether Stinger would clean these traces, but you might want to give that a try first : I do know that Malwarebytes cleans this infection.
One point to note is that the fix supplied by Dr Web seems designed only to work on the local file system. The Trojan may infect files on other drives -
The biggest problem with this trojan is the fact that it encrypts files on fileshares.
One of the Google forum posters has a solution if that has happened :
I hope this information is useful to you. Let us know if you manage to recover all the files and clean your system/network.Message was edited by: Hayton on 20/05/12 05:30:29 IST