Minkom Wa iLaykom

A new type of Trojan is making the rounds on the Internet, hijacking files and then leaving messages for the victims, demanding a ransom to return access. Called "Cryzip" by some antivirus firms and "Zippo.a" by others, the Trojan blocks access to files stored in 44 formats -- including .doc, .jpg, and .pdf -- by grouping them in a password-protected .zip file. The Trojan then deletes the original files and eliminates itself. Left behind along with the encrypted files is a ransom note, riddled with grammatical and spelling errors, that demands that users pay $300 in electronic currency to gain access to their files. The author of the note and Trojan writes that reporting the incident to the police will not help because "they do not know password." A text file includes instructions for victims to transfer money to one of nearly 100 accounts run by money-transfer site e-gold.

Self Policing

Security firms are reporting that the virus does not appear to be widespread at this point. And the security community already has rushed to respond to the threat, with security firms Sophos and LURHQ cracking the password required to release the data. The companies have made public the method for foiling the Trojan, which therefore limits the danger of kidnapped data. Those who have had their files blocked simply need to type:

"C:\Program Files\Microsoft Visual Studio\VC98"

Because the string appears inside projects compiled with Visual C++ 6, the Trojan's author probably assumed anyone who found the infected file and looked at the strings would overlook the password, LURHQ noted in its advisory.

Stick 'Em Up

The creation of a Trojan designed to carry out extortion is not surprising to many security researchers. In a recent Internet security threat report, Symantec noted that a growing concern is the number of attackers now motivated by financial gain rather than notoriety. Although phishing attacks are getting the majority of attention these days, there has been some increase in Internet extortion activity as well, said Javier Santoyo, development manager at Symantec Security Response. "Certainly there are some hackers focused on hitting companies to get resources or system benefits," he said. "Some spend weeks figuring out how to break into specific sites." So far, however, few have pursued extortion as a goal, he added. According to security firm Sophos, this recent Trojan extortion threat is among the first to appear in English. Previous "ransomware" schemes have come from Russia and have been targeted at Russian computer users.