http://www.surfright.nl/it/support/dorifel-decrypter
Dorifel decrypter
Introduction
In the beginning of August 2012, Dutch government, public sector and networks of private companies are hit hard by a new wave of crypto malware named Trojan-Ransom.Win32.Dorifel. Our research revealed that this Trojan entered the networks thanks to a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one of the computers inside the network.
Update: On August 28, 2012 we received the first report of a new variant of this Trojan, that now appeared in the United States.
This Dorifel Trojan scans network shares and local (USB) connected drives for executables and Microsoft Office documents. To be precise .doc and .docx (Word documents), .xls and .xlsx (Excel documents) and programs with the .exe file extension. Encountered documents and programs are seized and replaced with a new executable file that has the .scr file extension. This executable file contains an RC4 encrypted version of the seized document or program. The Trojan adds a familiar icon to the file and changes the filename of the document, abusing the RTLO 'vulnerability' (right-to-left-override) to make computer users belief the 'document' has the correct file extension.
Figure: Notice the differences (icon, filename) between a Word Document and a document affected by Dorifel.
So currently, most affected users will not notice anything since the 'documents' open as usual. In its current state the malware is likely all about propagating itself to as many machines as possible. But since the Trojan checks for an online update every half an hour or so, the attacker could later deploy more ruthless malware.
Download decrypter if you need
This decrypter was created by Fabian Wosar of Emsisoft, thanks to contributions by our researchers Mark and Erik Loman.
https://hitmanpro.wordpress.com/2012/08/10/dorifel/
Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)