The virus that was spread by the Citadel botnet is called Dorifel and infects Microsoft Word and Microsoft Excel documents as well as executable files, according to the NCSC. Microsoft calls the virus Quervar.B and notes that it has been observed contacting remote hosts in order to download files onto computers.
The virus spread via systems that were infected with Citadel for some time, infecting thousands of documents, the NCSC said. Dorifel is known as a banking Trojan designed to steal banking data and log-in credentials, it added. The virus damages Office files, rendering them unreadable via encryption, but the files are not destroyed.
If a user opens the file the virus can spread further via connected network discs, the NCSC said. The infection is activated after a system reboot and then starts looking for Office files.
Yesterday it was a dark day for many companies in Europe, but especially in the Netherlands. A piece of malware known as Worm.Win32.Dorifel infected over 3000 machines globally, and 90% of infected users were both from public and business sector organizations based in the Netherlands.
acknak wrote:Does anyone know whether these are infecting the old MS Office binary files, or can they hit the newer xml formats as well?
According to mcafee :
mcafee wrote:XDocCrypt.a belongs to a family of malware which encrypts Microsoft Office word, Excel and Executable files
present in the system. It encrypts these files using RC4 encryption Algorithm. On successful encryption, the
original file will be replaced with the infector followed by encrypted data; and if the original file name has
“.doc”/”.docx” then it will be replaced by “U+202Ecod.scr”, if original filename has “.xls/.xlsx” then it will be
replaced by “U+202Eslx.scr”,
