Released on = June 2, 2006, 12:05 am

Press Release Author = Doctor Web, Ltd.

Industry = Software

Press Release Summary = Virus monitoring service of Doctor Web, Ltd. informs all
users on new modification of Trojan. Encoder detected by Dr.Web Anti-virus as
Trojan.Encoder.6.

Press Release Body = Virus monitoring service of Doctor Web, Ltd. informs all users
on new modification of Trojan. Encoder detected by Dr.Web Anti-virus as
Trojan.Encoder.6.
Several variants of this Trojan program are detected at present. Different from
previous versions, the Trojan's author uses much longer encryption keys of 260 bits,
which makes the process of decoding much more difficult.
All versions of this Trojan program are distributed via e-mail as spam and a
careless user may run the attachment and become a victim of the blackmailer - all
document files of the invaded computer get encrypted. The user is offered to buy a
decryptor; for this he should contact an unknown blackmailer via e-mail. After the
Trojan has encrypted files, a readme.txt file of the following content appears in
each folder:

Some files are coded by RSA method.
To buy decoder mail: k47674@mail.ru
with subject: REPLY

At present, virus analytics of Doctor Web, Ltd. have managed to find one of the keys
used by the felon for crypting the documents of the victimized computer. The curing
decoding utility is soon to be released.
The utility can be downloaded from www.drweb.com and should be used as following:
1.Call command line (press \"Start\" - Run - cmd) 2.Go to the directory with files to
be decrypted 3.Place the decoding utility rsad.exe to the same directory 4. Run the
command line instruction rsad.exe [name _ of _ decryption _ file] [Enter]
If the files were encrypted with the supported key variant, they will be decrypted
and the file with the .decrypted extensions will appear. Virus analysts work hard to
find other two keys and soon new hot add-on to Dr.Web virus base will be released.
Doctor Web, Ltd. informs all users to be very cautious with mail messages incoming
from unknown addressees.
Meanwhile, the preventive measures are recommended by Doctor Web, Ltd. to keep safe
from viruses - both for those who has an anti-virus program installed and for those
who do not have any:
. Use only a legal anti-virus software - only in this case you will receive hot
add-ons to virus database.
. Keep abreast of updates.
. Never open attachments arrived in suspicious e-mail messages or from unknown
contacts
. Do not work under administrator account if you do not have any anti-virus program
installed
. If you have a suspicion that your computer is infected, and you do not have any
anti-virus installed, check your computer with FREE curing scanner - Dr.Web CureIt!.
This utility will not only check the computer, but in most cases will cure remove
the infection - not only viruses, but also spyware, adware, hacker tools and paid
dialers.


Web Site = http://www.drweb.com

Contact Details = Russia, Moscow, www.drweb.com, pr@drweb.com