Extortionist Trojan Holds Data Ransom

By Sean Michael Kerner | Mar 15, 2006 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3591901/Extortionist-Trojan-Holds-Data-Ransom.htm

If you're the unlucky victim of a new Trojan making the rounds, it'll cost you $300 to get your data back from the Trojan's author.

As of press time the Trojan did not yet have a common CME identifier. It is currently known as cryzip by LURHQ, Symantec, McAfee and Trend Micro. Kaspersky calls it Zippo and Panda Labs calls it ZippoCryptor.

Once infected, the Trojan encrypts a user's data in a password-protected zip file. In addition to the inaccessible files, the victim is left with a ransom note in a file titled "AUTO_ZIP_REPORT.txt."

The file starts with the words, "INSTRUCTIONS HOW TO GET YUOR FILES BACK READ CAREFULLY." According to LURHQ, the typo-rife ransom note continues: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password."

The note warns users not to attempt to crack the password on the compressed zip files. The only way to get the data back, it says, is by sending the "ransom" to an E-Gold account, apparently operated by the Trojan's author.

According to security firm LURHQ, a random E-Gold account number is automatically inserted at the top of the ransom note from an embedded list.

"By operating many accounts simultaneously, the Trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others," LURHQ's advisory states.

So far, the Trojan does not appear to be widespread. McAfee, Panda Labs and Symantec have given it a low-risk assessment and all have issued updates to its malware definition files to identify the Trojan.

It could always be worse.

Though the cryzip Trojan may make a victim cry, at least it doesn't berate victims like last year's Cisum.A virus did.