According to Fox-IT International blog, a new virus called "XDocCrypt/Dorifel" will search MS Word file on victim computer and encrypt it by RC4 (Figure 1). You will not decrypt the word file without RC4 key. But this virus doesn't look like a ransomware, because it doesn't show any message note. By now there are over 2,200 government, public sector, and networks of private companies of Netherlands affected (Figure 2).

Figure 1: encrypt file by RC4 (source: Fox-IT International Blog)

 

Figure 2: NL tops the rank, followed by DK  (source: Fox-IT International Blog)

AegisLab has collected 18 "XDocCrypt/Dorifel" virus samples as below, the detection rate in VT is about 25%-30%, there are 3 not in VT DB: 


AegisLab Antivirus can destroy the "XDocCrypt/Dorifel" virus and their mutants. We will keep watching on this emerging threat.

 

--------------------------------------------------------   

0810 updated: This virus only infect WORD/EXCEL file on network share drives or USB drives in order to spread itself quickly and masquerade itself "look" like a normal WORD/EXCEL file by abusing RTLO (right-to-left-override) vulnerability.