Users hit by extortion Trojan
Encrypts files, demands money.
By John Dunn | Published: 15:27, 15 March 2006
Anti-virus experts have discovered a new file encryption Trojan that zips up its victims files before demanding $300 to have them unscrambled.
Variously identified as Zippo and Cryzip by anti-virus companies, the Trojan is believed to be infecting PCs either via infected websites, or as an email attachment.
Once infected, it encrypts all data files it can find using a long list of file extensions to guide it, storing them in a password-protected zip directory. Clicking on these files brings up a poorly-written message demanding that $300 be paid to a named e-gold account in return for the passphrase to unlock the files.
Although the Trojan was only publicised yesterday, Techworld was contacted last week by one UK user who was struggling with what turns out to be have been this Trojan, so this is no theoretical lab attack.
Unable to identify what it was, not only had it encrypted his data files, it had been on his system long enough to carry out the same actions on his backups. This would suggest the Trojan has been spreading for some weeks, and is designed to hide itself until even backups became unusable.
The password to unscramble files turns out to be a directory path, probably to make it hard to detect by researchers reverse engineering its inner workings: C:\Program Files\Microsoft Visual Studio\VC98 (typed without quotation marks).
The file encryption Trojan is not a new phenomenon, with a small number of Russian-based examples turning up last Spring. Going back further in time, the AIDS Trojan disk of the mid-1990s, which spread by floppy disk, did much the same thing as Zippo, although its spread would be glacial by comparison.
The fact that it has been in the wild and infecting real victims for some days or weeks, raises several issues.
First, the use of encryption presents potential troubles for anti-virus firms. Although programmed encryption of this type is not as difficult to decode as static encryption, it could be difficult to quickly reverse engineer if it evolves much further from its relatively basic Zippo/Cryzip incarnation.
It already looks as if this particular piece of malware has crept under the radar of the major anti-virus firms, as none of them had heard of it until yesterday, days after Techworld was first contacted by the distressed member of the public.
Second - as pointed out by Graham Cluley of security firm Sophos - the fact that a legitimate company, e-gold, is being used in the scam should mean that the account holders are traceable. At the very least, the accounts should be frozen, he suggested.
E-gold was contacted for comment, but had not replied at the time of going to press.