Cyberpolicy analyzed the boot part of the extortion virus "Petya. A ", and came to the conclusion that this is a modified version of the previously known" Trojan ". Experts described in detail about similar sections of the code.

This was reported to the correspondent of the Ukrainian Information Service in the Department of cyberpolicy.

When analyzing the extortion virus, similar code sections were identified. In addition, the same encryption algorithm is used - Salsa20 with a modified key extension. In the first version of "Petya" is "expand 32 - byte k", in the new version "1invalid s3ct - id".

A unique 8-byte number for Salsa (nonce) is stored in sector 32 (in the old one - 55 m). By offset 0x21.

The first byte of the 32nd sector is used as a flag when loading - at 0 - MFT is encrypted, at 1 - the message about the payment is displayed. The crypted MBR is stored in sector 34. Encryption - xor with key 0x7.

The Department of Cyberpolicy asks all specialists to help develop programs for the selection of passwords. You can contact via volunteer @ cyberpolice. Gov. Ua.