Tales from the Crypt

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK

Tales from the Crypt

Postby Spudz » Fri Oct 30, 2009 4:39 am

Tales from the Crypt
Shunichi Imano
October 29th, 2009

Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.

Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.

Previously posted blogs on the subject of Ransomware can be found at:

* The Key(generator) to the SMS Ransomware Threat
* SMS Ransomware Threat

In contrast to the above threats, Trojan.Ramvicrype does not make a direct demand for cash in return for keys. How are they making their money here? It turns out that entering the term ‘vicrypt’ into a search engine leads us to a company offering a fix, which of course is a charged service. So, there was a reason for that file extension after all.

Unfortunately, performing a search for ‘vicrypt help’ or similar may not be an option for those whose machines have been compromised. Consider the %UserProfile%\Recent folder, which is used by Windows to maintain links to recently opened files. For example, if you open a text file called sales-report.txt on your desktop, a .lnk file is created that points to the file itself, %UserProfile%\Desktop\sales-report.txt. Since Trojan.Ramvicrype encrypts files in all folders pointed to by the links to recently opened files, one of the worst case scenarios occurs when a file in the Windows system folder has recently been opened. This leads to a situation in which the threat encrypts all files in the Windows system folder, the computer is critically damaged and the user is unlikely to be able to access the Internet to search for the fix.

Continues at Symantec Security Blog
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest