Symantec is warning about a new Trojan horse that encrypts files on
compromised computers but offers no ransom note like other software
designed to hold data hostage for a fee.
Instead, a Web search for terms related to the Trojan horse leads to a
company offering a way to remove the malware. The company offering the
product used to charge for it but now offers it for free.
Trojan.Ramvicrype uses the RC4 algorithm to encrypt files on systems
running Windows 98, 95, XP, Windows Me, Vista, NT, Windows Server 2003
and Windows 2000, according to Symantec's Web site.
Computers with files that have the .vicrypt extension are infected, a Symantec researcher wrote in a blog post this weekend.
A Web search for "vicrypt help" brings up a news release for a company called Exquisys Software Technology Ltd
in Mauritius offering a product called Antivicrypt that will "repair
and restore" files that are "damaged." Symantec reports that the
company charges for the product.
Exquisys could not be reached for comment on Monday, which happens to be a national holiday in that country.
However, there is a chance that an affected computer will not have
access to the Internet to search for any tools, free or otherwise. If a
file in the Windows system folder has recently been opened, all the
files in the system folder will be encrypted and the user may be unable
to access the Internet, Symantec said.
When the Trojan is
executed it searches for files in MyDocuments, Desktop and Application
Data\Identities and renames them with a .vicrypt extension. Then it
looks for links in the Recent folder and renames all the files in the
folders that are pointed to by links there and encrypts the head
section of each file.
It then displays this warning: "Vicrypt error! Please Restart Windows."
This shows a screen from a computer infected with the Ramvicrype Trojan, which encrypts data to be held hostage for payment.