Threat Descriptions

Rogue:W32/DatDoc

Classification

Category :

Malware

Type :

Rogue

Platform :

W32

Aliases :

Rogue:W32/DatDoc

Summary

Deceptive antivirus software that pressures users into buying or installing it (e.g., infecting a computer; displaying false or alarming warnings or scanning results). Once installed, it may not function as claimed.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Rogue:W32/DatDoc is a "utility program" intended to decrypt files which have been previously encrypted by a separate program. It also appears able to perform other utility functions.The user was then pressured to download and execute this program in order to decrypt the affected files. A fee may be demanded for performing the decryption service.DatDoc is known to be downloaded onto the system by Trojan:W32/DatCrypt, which performs the preliminary encryption. Malware that engages in this type of behavior is known as Ransomware.

Execution

Once DatDoc is downloaded onto a system, the separate DatCrypt malware will launch DatDoc's installer. The installation process for the product requires the user's interaction.When using the utility to decrypt files, the user has the option of performing decryption on a single file, or on multiple files (full scan):

Unfortunately, if the user attempts to use the utility to decrypt multiple files, only the first selected file will be decrypted for free; the utility will then inform the user that decryption for additional files will require payment of a "fee". Further decryption is not performed until the fee is paid.

File System Changes

Creates these files:

  • %temp%\is-126AP.tmp\sample.tmp

Create these directories:

  • %temp%\is-126AP.tmp