TROJ_CRYZIP.A

Malware type: Trojan

Aliases: Trojan.Win32.Cryzip.a (Kaspersky), CryZip (McAfee), Trojan.Cryzip (Symantec), TR/Zippo.10 (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Behavior Diagram shown below.

TROJ_CRYZIP.A Behavior Diagram

Malware Overview

This Trojan is usually downloaded from the Internet. It ZIP-compresses all files on any readable and writable drive with certain extension names, and password-protects them with the string C:\Program Files\Microsoft Visual Studio\VC98:.

As a consequence, encrypted files become unreadable to an affected user. The zipped files end up with the following name:

    {file name}_CRYPT_.ZIP

This Trojan drops the file AUTO_ZIP_REPORT.TXT into folders where each encrypted file is located. The dropped .TXT file contains information on how to decrypt the affected files. However, it appears that this Trojan attempts to make the affected user shell out money to restore the encrypted files by following the instructions listed in the aforementioned .TXT file.

For additional information about this threat, see:

Description created: Mar. 11, 2006 2:08:41 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 1,191,936 Bytes

Initial samples received on: Mar 11, 2006

Payload 1: Encrypts files with certain extension names

Details:

This Trojan is usually downloaded from the Internet. Upon execution, it injects its DLL (Dynamic Link Library) component into all running applications.

It ZIP-compresses all files on any readable and writable drive with the following extension names, and password-protects them with the string C:\Program Files\Microsoft Visual Studio\VC98:

  • ARH
  • ASM
  • ARJ
  • BAS
  • CDR
  • CGI
  • CHM
  • CPP
  • DB
  • DB1
  • DB2
  • DBF
  • DBT
  • DBX
  • DOC
  • DPR
  • DSW
  • FRM
  • FRT
  • FRX
  • GTD
  • GZ
  • GZIP
  • JPG
  • KEY
  • KWM
  • LST
  • MAN
  • MDB
  • MMF
  • MO
  • OLD
  • P12
  • PAS
  • PAK
  • PDF
  • PGP
  • PL
  • PWL
  • PWM
  • RAR
  • RTF
  • SAFE
  • TAR
  • TXT
  • XLS
  • XML
  • ZIP

As a consequence, encrypted files become unreadable to an affected user. The zipped files end up with the following name:

    {file name}_CRYPT_.ZIP

This Trojan drops the file AUTO_ZIP_REPORT.TXT into folders where each encrypted file is located. The dropped .TXT file contains the following strings:

OUR E-GOLD ACCOUNT: {random}

INSTRUCTIONS HOW TO GET YUOR FILES BACK READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.

This is automated report generated by auto archiving software.

Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password.

You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

Do not try to search for a program what encrypted your information - it is simply do not exists in your hard disk anymore. If you really care about documents and information in encrypted files you can pay using electonic currency $300.
Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our e-gold account will not help you to restore files. This is your only way to get yours files back.

------------------------------
How to pay to get your information back.

1. click on this link to open your free e-gold account - the first screen is the e-gold "terms and conditions" page. You need to agree to these by clicking on the "I AGREE" button on the bottom on the page.
2. On the next page is the sign up form:
1. "Account name" - here is where you name your account - tip: make it easy to remember (as you will be asked for it) and reasonably short, example, "John's e-gold", "My Money e-gold" or perhaps "Felix" (whatever you like, just make it easy for you to remember it).
2. "User Name" - here just repeat the account name (from 1 above).
3. "Point of Contact" - this is where you put our name, address, phone number and email address (any email address can be used here but it is recommended you use your ISP address - not a free hotmail, etc address).
It is also recommended your also include a fax number (don't have a fax number? This company offers free fax to email services). Try and make it as easy as possible for e-gold to contact you.
4. "Passphrase" - this is the most important piece of information connected to any e-gold account. We can not stress enough how important it is that your passphrase is kept safe and secure.
5. "Turing Number Entry" - type the 6 numbers you see there into the input box below.
6. The last step click "Open"

On the next page it will tell you that your e-gold account number has been emailed to you. check your email - you can expect to wait up to 5 minutes for your account number to arrive. If it does not arrive after 5 minutes then that means the email address you supplied was incorrect and you will have to open another new account (go through and repeat what you just did above again).

To buy e-gold to your account please use official exchange services
http://www.me-gold.com/
http://www.goldex.net/
http://usece.com/

or try to search own way with http://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_Links/Purchase_E-gold/index.html http://www.google.com/search?hl=en&q=buy%20e-gold&btnG=Google%20Search

FINALLY when you bought e-gold you have to transfer $300 to our e-gold account. In next 24 hours you will recieve $1 back to your account. Transfer details of this $1 transfer will have a link to software that will automatically unzip all your files back to normal state.

Next day login to your account https://www.e-gold.com/acct/login.html, press History and press submit, you will see LINK TO UNZIP-software.

#######################################################
Remember you are just $300 away from your files
######################################################

In effect, this Trojan attempts to make the affected user shell out money to restore the encrypted files by following the instructions listed in the aforementioned .TXT file.

It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Luis Antonio P. Magisa


SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 3.282.03

Pattern release date: Mar 23, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your computer with your Trend Micro antivirus product.
  2. NOTE the path and file name of all files detected as TROJ_CRYZIP.A.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type the file name(s) detected earlier.
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press Delete.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_CRYZIP.A. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.