..Doc File Virus Removal – Restore ..Doc Files

..Doc File Virus Removal – Restore ..Doc Files

This article will help you to remove the ..Doc File Virus entirely. Follow the ransomware removal instructions provided at the end.

The ..Doc File Virus is the name of a ransomware which is a variant of the GlobeImposter virus. After encryption it places the ..Doc extension as a secondary one, without altering the original file names. Next up, a ransom note is placed inside an .html file containing instructions on how to pay the ransom and allegedly restore your data. Continue to read and check what ways you could try out to potentially recover your files.

Threat Summary

Name..Doc File Virus
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer device and it shows a ransom note afterward.
SymptomsThis ransomware virus will encrypt your files and place the ..Doc extension on each one of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by ..Doc File Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss ..Doc File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

..Doc File Virus – Delivery Ways

..Doc File Virus might spread its infection via different ways. The payload file which executes the malicious script for this ransomware, that in turn infects your computer machine, is circling around the Internet. It has been spotted as a .vbs script file inside a .zip archive spreading with malicious spam email campaigns as seen in the example below:

Sent: Tue, 05 Dec 2017 15:14:48 +0530
To: Kellett, Tamera
Subject: Message from “G10PR0378651.VICTIMSDOMAIN.COM”

This E-mail was sent from “G10PR0378651.VICTIMSDOMAIN.COM” (Aficio MP C305).

Scan Date: Tue, 05 Dec 2017 15:14:48 +0530

Samples of this ransomware have been found by a few different malware researchers. You can see the detections of some security vendors for one such sample embedded into an executable file by checking the image taken of the VirusTotal service below:

The ..Doc File Virus might be using other ways to deliver the payload file, such as social media and file-sharing sites. Freeware applications found on the Web could be promoted as helpful but also could hide the malicious script for this virus. Before opening any files after you have downloaded them, you should instead scan them with a security program. Especially if they come from suspicious places, such as emails or links. Also, don’t forget to check the size and signatures of such files for anything that seems out of place. You should read the ransomware prevention tips given in the forum.

..Doc File Virus – Technical Data

The ..Doc File Virus is a ransomware, which has been circulating with different variants. When the ..Doc File Virus encrypts your files and put ransom note messages around your computer’s directories. The virus is a variant of the GlobeImposter ransomware family.

The ..Doc File Virus can be set to make new registry entries in the Windows Registry to achieve a higher level of persistence. Such entries are usually designed in a way that will start the virus automatically with every launch of the Windows Operating System, such as the example shown right here below:

→“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”

The ransom message is placed inside a file called Read_ME.html. This is how it looks:

The ransom note states the following:

Your files are Encrypted!
For data recovery needs decryptor.
If you want to buy a decryptor, click “Buy Decryptor”:
[Buy Decryptor] If not working, click again.
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this link.
Support
If you can not contact, follow these two steps:
1. Install the TOP Browser from this link:
torproject.org
2. Open this link in the TOP browser: https://n224ezvhg4sgyamb.onion/sup.php

If you click on the TOR link (https://n224ezvhg4sgyamb.onion), another page with further instructions will show up and you can see it here:

It states the following:

To buy the decryptor, you must pay the cost of: 0.094 Bitcoin ($ 1000)
You have 2 days for payment
time left :
after finishing offer, decryptor cost will be 0.188 Bitcoin
You can buy bitcoin on one of these sites:
blockchain.info
localbitcoins.com
google.com
send 0.094 bitcoin on the Bitcoin address: 16QzEecSU858iaWFyLEEgGXGn9ehtvMJXG
After payment enter your REAL e-mail to get the decryptor
E-MAIL
SUBMIT E-MAIL

Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file click this link…

You should NOT under any circumstances pay the ransom or write to these criminals. Nobody can give you a guarantee that you will get your files decrypted upon payment, plus in that way you will support the crooks and probably motivate them to keep making ransomware or do similar criminal acts.

..Doc File Virus – Encryption Process

There is no official list with file extensions that the ..Doc File Virus seeks to encrypt and the article will be updated if such a list is discovered. However, all files which get encrypted will receive the ..Doc extension appended to them as a secondary extension. The virus doesn’t change or modify the original file name or extension of the encrypted files. The files used most by users and which are probably encrypted are from the following categories:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

The encryption algorithm which is used for the virus is currently unknown, but the ransomware is reported to encrypt files, with the following extensions so far:

→.doc, .docx, .xls, .xlsx, .jpg, .mp3, .pdf, .png, .txt

The ..Doc File Virus is reported by malware researchers to erase the Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

Executing the above-stated command will make the encryption process more effective, as one of the main ways for file recovery will be eliminated. Continue reading to find out what methods you can try out to potentially restore some of your files.

Remove ..Doc File Virus and Restore ..Doc Files

If your computer got infected with the ..Doc File Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete ..Doc File Virus from your computer

Note! Substantial notification about the ..Doc File Virus threat: Manual removal of ..Doc File Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove ..Doc File Virus files and objects
2. Find malicious files created by ..Doc File Virus on your PC

Automatically remove ..Doc File Virus by downloading an advanced anti-malware program

1. Remove ..Doc File Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by ..Doc File Virus
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...