This Trojan encoder was first detected on January 2011. It is written in Assembler language. The Trojan encrypts data stored on the infected computer, such as user documents, audio and video files, archives and, sometimes, executable files. The encoder uses one of the following encryption algorithms: XOR, TEA or AES. At that, it often encrypts the part of files excluding first bytes. The Trojan associates itself with encrypted files and adds the “CRYPTED!” attribute to their properties.
The constructor for creating encoders of this type, which implement TEA and XOR encryption, is available in the public domain. Most files encrypted by Trojan.Encoder.94, which was created with the use of this constructor, can be decrypted. As for decryption of files encrypted with AES method, it is possible only if the Trojan executable resides on the disk.