My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2014-04-25

Virus description added:


  • 883ee2b063bbc12d815fadaf20c9b31366869e05
  • b1a6b942a1f7027f7e744433eadf48a274a96819
  • 5f2160f9baf7dad89ab8b9a21a797be867294345
  • aff78db1ca229931acb45a9ffa5edb6ed1f810c6
  • 1a16c07527dc96951024514658da5653f2813325
  • cfd603cee2038f6667cb337fd9459422c5a2703a
  • 0c42b3b9d4e155db42e10887f58715244e1c17c8
  • 30a9a4e998e586e28ce40958d7e60c7747c9a1f7
  • 0028facdc4f4bb71b078f32bf87e4de38cb26641
  • c74a1605294d35d30eba5e6e09c765b6829a6428
  • ff6347734c9134ffa6d66cf746abf8ad68863354

A ransomware Trojan that encrypts files on the computer and demands a ransom for decryption of compromised data. It is distributed as an installer created with Smart Install Maker, and it is attached to an email message that claims to be sent from an arbitration court or in the form of a link for file download.

The following email addresses are currently known to belong to cybercriminals:

The Trojan is installed as a Windows system service. Depending on the bitness of the system, it chooses either the %SYSTEMDRIVE%\Program Files\winrar_update directory or %SYSTEMDRIVE%\Program Files (x86)\winrar_update.

If the attacked computer is running Windows XP, the Trojan also checks whether it has been launched from the specified directories and whether the WCS service is running. If not, the Trojan copies itself in one of these folders with byte-to-byte reading and writing, sets incorrect creation time for this file and runs the copy with the /install and /silent parameters. If any other Windows operation system is installed, the Trojan runs its copy attempting to to acquire higher privileges (runas).

The Trojan sends the following three parameters to the C&C server: version—the Trojan’s version, id—the computer identifier that is generated from the current date and a random number, and pass—encrypted password.

The Trojan encrypts files on all the computer’s disks except ones that are located in the Windows folder. For every disk, it calls a recursive function of file encryption. Then it creates the update.bin file (which stores the id vale and the encrypted password) and the checkdata.diff file (which temporary stores names of encrypted files) in the winrar_update folder.

The Trojan encrypts files that have the following extensions:

.r3d; .rwl; .rx2; .p12; .sbs; .sldasm; .wps; .sldprt; .odc; .odb; .old; .nbd; .nx1; .nrw; .orf; .ppt; .mov; .mpeg; .csv; .mdb; .cer; .arj; .ods; .mkv; .avi; .odt; .pdf; .docx; .gzip; .m2v; .cpt; .raw; .cdr; .cdx; .1cd; .3gp; .7z; .rar; .db3; .zip; .xlsx; .xls; .rtf; .doc; .jpeg; .jpg; .mp3; .zip; .ert; .bak; .xml; .cf; .mdf; .fil; .spr; .accdb; .abf; .a3d; .asm; .fbx; .fbw; .fbk; .fdb; .fbf; .max; .m3d; .dbf; .ldf; .keystore; .iv2i; .gbk; .gho; .sn1; .sna; .spf; .sr2; .srf; .srw; .tis; .tbl; .x3f; .ods; .pef; .pptm; .txt; .pst; .ptx; .pz3; .mp3; .odp; .qic; .wps

This Trojan has several modifications. Depending on the modification, the Trojan uses a particular encryption algorithm. The only common feature of these versions is that the Trojan chooses several file fragments and encrypts them one by one. At that, it adds offsets of the encrypted elements and MD5 hash from the original file (which is then used to check correctness of decryption) to the end of the file. Other information can also be present in the end of the file. This data is represented in decimal numeration system, except MD5 hash that is written in hexadecimal numeration system. Presumably, some versions of the Trojan also add random data that is then cut off during the decryption procedure.

In most cases, the Trojan’s version is specified in the end of a file name (for example, ver-, ver-CL Moreover, the file name contain email address of the attackers and the computer’s ID.

At present, those files can be entirely decrypted that were compromised with early versions of this ransomware program. For the 4th and the 5th modifications, it is possible to find the key and decrypt files in some cases. Files infected with the 6th version or later cannot be restored.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android