EnCiPhErEd Trojan

EnCiPhErEd Trojan or also known as Trojan.Ransom.HM is a ransom software That will encrypt files on the infected computer and asks to pay 50 EUR for the code. This code is needed so that user may be able to decrypt affected files.

Typically, .EnCiPhErEd Trojan will target non-executable files like images, sounds and movies. Changed files will have a new extension as .EnCiPhErEd. For example, a shortcut to Notepad.exe will bear the new file name as Notepad.lnk.EnCiPhErEd. Aside from encrypting files, the Trojan also replaces default icons with identical image. After it infects all files, it will place a file called “HOW TO DECRYPT FILES.txt” which has the following messages:

Attention! All your files are encrypted!
You are using unlicensed programs!
To restore your files and access them,
send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail Koeserg@gmail.com.
During the day you receive the answer with the code.
You have 5 attempts to enter the code. If you exceed this date all data is irretrievably spoiled. Be careful when you enter the code!

Victims will be asked to send proof of payment to mentioned address. When the attacker confirms the payment, he will reply with the decryption code. There is a danger in losing all your files for entering wrong code in the decryption box.

TypeTrojan
Sub-TypeRansomware
AliasesTrojan.Ransom.HM, Troj_Ransom.BXA, Trojan:W32/Ransomcrypt
OS AffectedWindows

What are the Symptoms of .EnCiPhErEd Trojan Infection?

The Trojan will drop a text file on each infected folders. The file is a clean and it contents are nothing but a warning.

Files encrypted

After infecting files. This Trojan will alter the extension with ..EnCiPhErEd and also replaces icon with a common pink image as show in the image below.

EnCiPhErEd files

If user attempt to run any encrypted files, a warning will be shown stating this messages: “Attention! All your files were encrypted! To decrypt files, please enter correct password!”

Enciphered Warning

How to Remove .EnCiPhErEd Trojan Manually

1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode

2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entries mentioned above and delete if necessary

3. Delete malicious files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the files.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.

4. Scan computer with Antivirus Program
- Update antivirus program
- Scan computer and delete all detected threats.

Automatic Removal of .EnCiPhErEd Trojan

1. Download and run MalwareBytes AntiMalware to remove .EnCiPhErEd Trojan. Click this link to begin the download.

How to Remove File Encryption

1. Download the tool from this link:
ftp://ftp.drweb.com/pub/drweb/tools/te94decrypt.exe

2. Save a copy of encrypted file to a USB drive. Test the tool to more than 3 affected files that has .EnCiPhErEd extensions.

3. Copy the file on the root of your USB drive.

4. Press {Windows Key} + {R} on your keyboard or open the Run command from Start Menu.

5. Type and try these two parameters one at a time. If the first parameter did not work properly, delete the copied .EnCiPhErEd files files from the USB drive and copy new ones from the infected computer.

E:\te94decrypt.exe -k 87
E:\te94decrypt.exe -k 85

6. If you have an existing antivirus program, please update it and run a complete scan to be sure that computer is already free from viruses and Trojans.

 

16 Responses to“EnCiPhErEd Trojan”

  1. dave_simple
    April 17, 2012 at 2:56 pm #

    I decrypt my files using -k 88. Then I scan the computer with malwarebytes and found dozens of threats. My Norton also found 76 Trojans all over the place. Thanks for this guide.

  2. samo_p
    April 19, 2012 at 9:41 am #

    With -k 88, not working, wrong key

  3. tryhard
    April 19, 2012 at 12:10 pm #

    Yes, samo is right, -k 88 gives a “wrong key” message. I tried -k 87 and it worked on my sample files. Im hesitate to run it on all my files. Maybe I will decrypt per batch of files or I will create a full backup first.

    With -k 87 working on my Vista, I guess there are level of encryption for each type of Windows? Just my guess!

  4. samo_p
    April 20, 2012 at 7:09 am #

    It’s working with -k 88 on Windows 7. I saved all my files. :)

  5. semp
    April 20, 2012 at 9:46 am #

    witam
    od paru dni próbowałem i dopiero najnowszy z dzisiaj 19.04.2012 mi pomógł :)
    te94decrypt.exe -k 87
    AVG określiło tego virusa jako idp.trojan.fc44335e

    wielkie dzieki :)

    SemP

  6. Matias
    April 27, 2012 at 5:47 pm #

    Working with -k 106 :)

  7. marino
    April 29, 2012 at 10:47 am #

    Looks like working with – k 106 on .QWCiPhErEd files

  8. Larry
    April 29, 2012 at 9:32 pm #

    Thank you all for posting!
    It seems -k 106 works for me on .QWCiPhErEd files, but the problem is that when decrypting, the decrypted files are generated beside the encrypted files, which leads to disk overload (there is only 10% of free space left in every of my PC disk). How can I deal with this issue? Will the encrypted files be deleted after decrypted?

  9. michelerouge
    May 2, 2012 at 1:08 pm #

    @marino
    i tried

    te94decrypt.exe -k 106

    but te94decrypt.exe shows “wrong key”

  10. michelerouge
    May 2, 2012 at 1:09 pm #

    @Larry
    te94decrypt.exe -k 106

    but te94decrypt.exe shows “wrong key”

  11. stingray6w9
    May 3, 2012 at 1:51 am #

    Thank you for the code!
    I can confirm that -k 106 is working with the .QWCIPHERED extension. Be careful if you have any strange permissions. The user the encryption virus runs under needs “write extended attributes” to encrypt the file, but if the user does not have “modify” rights, the file is encrypted and the copy with the extension is not created. The file looks ok, but indicates it is corrupted when opening. It can be decrypted using the tool, if you add the .QWCIPHERED extension. CAUTION: If the file is not encrypted and you add the extension and run the tool, it encrypts it.
    Larry, you could move (not copy) all the files with the .QWCIPHERED extension to an external drive (this should give you some space to work with) then copy the files back in groups, decrypting then deleting the encrypted ones. It is a process, but should work.

  12. Raul
    May 3, 2012 at 8:30 pm #

    Do you have a 64 bits version?

  13. Piero
    May 7, 2012 at 8:43 am #

    Thanks a lot!
    Confirm that I used -k 106 for qwciphered encrypt files in windows xp.

  14. Nik
    May 11, 2012 at 9:42 am #

    I wrote a e-mail to Dr WEB team and they made update of his te94decrypt.exe to a new version and with this tool started with -k 103 key all my ENCIPHERED files was saved!

  15. Anto
    July 17, 2013 at 7:51 am #

    no luck for me. on 16/7 my servers was affected!!! please help us

  16. Jeison de Souza
    November 19, 2013 at 6:42 pm #

    Meu servidor foi infectado com a extensão OMG! alguém sabe me dizer qual parâmetro devo utilizar ?

Leave a Reply

Your email address will not be published. Required fields are marked *

(Required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>