%UserProfile%\Local Settings\Application Data\Facebook\[random name].exe
%ProgramFiles%\MSN GAMING ZONE\[random name].exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\programs\startup\[random name].exe
Size: 429568 byte
Size: 24576 byte
Based upon the OS version, the trojan could copy itself into these locations:
C:\Program Files (x86)\Dirty\DirtyDecrypt.exe
C:\Documents and Settings\[YOUR USER]\Application Data\Dirty\DirtyDecrypt.exe
C:\Documents and Settings\[YOUR USER]\Local Settings\Application Data\Dirty\DirtyDecrypt.exe
[random name] = %UserProfile%\Impostazioni locali\Dati applicazioni\Facebook\[random name].exe
[Userinit] = c:\windows\system32\userinit.exe,%ProgramFiles%\MSN GAMING ZONE\[nome casuale].exe
It is also executed by the start menu:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\programs\startup\[nome casuale].exe
[DirtyDecrypt] = "%UserProfile%\AppData\Roaming\Dirty\DirtyDecrypt.exe\" \hide
This trojan edits some registry keys to disable these services:
- wscsvc, Action center in Windows Vista, 7, 8
- wuauserv, Windows' automatic updates
After approximately 5 minutes after the execution of the virus, a full-screen borderless window showing a Police
announcement appears and blocks the PC.
crypt the following document formats with the RSA crypt system:
Example of a crypted image:
Example of a crypted RTF document:
If executed, Trojan.Win32.DirtyDecrypt.B
shows the following window:
To decrypt the crypted files the ransomware asks for the following amount of money, based on the chosen currency:
Possible payments methods shown are:
use the following domain (located in Amsterdam) to handle the payment request:
is removed by VirIT eXplorer
since version 7.4.48.
The first version of the malware had been exploited, so that you could decrypt files without paying the ransome.
Unfortunately the exploit was corrected from the malware's creators so it is not possible to get the files back anymore.
For some kind of files it's still possible to get back a part of them, although it is very likely to loose the file by corrupting it.
Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft