Trojan.Cryzip
aliases: Zippo
Trojan.Cryzip was launched in the beginning of March 2006.
Cryzip uses a commercial Zip-library to store hijacked files in a password-protected ZIP-File.
Upon execution, the trojan searches all folders, exept System- and System32-folders, for files with the extention .arh, .asm, .arj, .bas, .cdr, .cgi, .chm, .cpp, .db1, .db2, .dbf, .dbt, .dbx, .doc, .dpr, .dsw, .frm, .frt, .frx, .gtd, .gzip, .jpg, .key, .kwm, .lst, .man, .mdb, .mmf, .old, .p12, .pas, .pak, .pdf, .pgp, .pwl, .pwm, .rar, .rtf, .safe, .tar, .txt, .xls, .xml and .zip, wich it will store in a ZIP-file called
[original-file-name-&-extention]_CRYPT_.ZIP and after wich it will delete the original.
After processing the files in a folder, the trojan also leaves a textfile AUTO_ZIP_REPORT.TXT with the following text:
OUR E-GOLD ACCOUNT: XXXXXXX
INSTRUCTIONS HOW TO GET YUOR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.
This is automated report generated by auto archiving software.
Your computer catched our software while browsing illigal porn
pages, all your documents, text files, databases was archived
with long enought password.
You can not guess the password for your archived files - password
lenght is more then 10 symbols that makes all password recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).
Do not try to search for a program what encrypted your information - it
is simply do not exists in your hard disk anymore.
If you really care about documents and information in encrypted files
you can pay using electonic currency $300.
Reporting to police about a case will not help you, they do not know
password. Reporting somewhere about our e-gold account will not help
you to restore files. This is your only way to get yours files back.
------------------------------
How to pay to get your information back.
1. click on this link to open your free e-gold account - the first
screen is the e-gold "terms and conditions" page. You need to
agree to these by clicking on the "I AGREE" button on the bottom
on the page.
2. On the next page is the sign up form:
1. "Account name" - here is where you name your account - tip:
make it easy to remember (as you will be asked for it) and
reasonably short, example, "John's e-gold", "My Money e-gold"
or perhaps "Felix" (whatever you like, just make it easy for
you to remember it).
2. "User Name" - here just repeat the account name (from 1 above).
3. "Point of Contact" - this is where you put our name, address,
phone number and email address (any email address can be used
here but it is recommended you use your ISP address - not a
free hotmail, etc address).
It is also recommended your also include a fax number
(don't have a fax number? This company offers free fax to email
services). Try and make it as easy as possible for e-gold to contact you.
4. "Passphrase" - this is the most important piece of information
connected to any e-gold account. We can not stress enough how
important it is that your passphrase is kept safe and secure.
5. "Turing Number Entry" - type the 6 numbers you see there into the input
box below.
6. The last step click "Open"
On the next page it will tell you that your e-gold account number has been
emailed to you.
check your email - you can expect to wait up to 5 minutes for your account number
to arrive. If it does not arrive after 5 minutes then that means the email address
you supplied was incorrect and you will have to open another new account (go through
and repeat what you just did above again).
To buy e-gold to your account please use official exchange services
http://www.me-gold.com/
http://www.goldex.net/
http://usece.com/
or try to search own way with
http://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_Links/Purchase_E-gold/index.html
http://www.google.com/search?hl=en&q=buy+e-gold&btnG=Google+Search
FINALLY when you bought e-gold you have to transfer $300 to our e-gold account.
In next 24 hours you will recieve $1 back to your account. Transfer details
of this $1 transfer will have a link to software that will automatically
unzip all your files back to normal state.
Next day login to your account https://www.e-gold.com/acct/login.html,
press History and press submit, you will see LINK TO UNZIP-software.
##########################################################################
Remember you are just $300 away from your files
##########################################################################
The E-Gold account-number is picked from a list of numbers in the DLL-file ZIPPO.dll.
In the first version of the Cryzip-trojan, also the text for the message, aswell as the encryption-password are stored in the DLL-file.
The LURHQ Threat Intelligence Group has identified the password as being: C:\Program Files\Microsoft Visual Studio\VC98
On may 22, LurHQ discovered a second variant, wich doesn't have just one possible password, stored in it's DLL-file, but downloads a random password from a list of passwords, on a remote webserver.
Unfortunately, this makes retreaval of the hijacked files almost impossible without meeting the demands of the blackmailer, unless he/she is arrested and reveals the passwords.
There is also a change to retrieve the hijacked files, using a tool like Elcomsoft's Advanced ZIP Password Recovery tool, however to work properly, this tool needs at least one original of the hijacked files.
|
Trojan.Sinowal.FY
is a ransomware Trojan from july 2007. Sinowal.FY encrypts users files so that they cannot access them, and demands a ransom for giving them a tool to decrypt the files as well as the decryption key.
On reaching a computer, Sinowal.FY creates a text file containing its demands: if the targeted user doesn't give $300 to the malware writer, they will not be able to retrieve the kidnapped documents.
- Encrypts all the files with any of the following extentions: 12M, 3DS, 3DX, 4GE, 4GL, 7Z, A, A86, ABC, ACD, ACE, ACT, ADA, ADI, AEX, AF3, AFD, AG4, AI, AIF, AIFC, AIFF, AIN, AIO, AIS, AKF, ALV, AMP, ANS, AP, APA, APO, APP, ARC, ARH, ARJ, ARX, ASC, ASM, ASK, AU, BAK, BAS, BB, BCB, BCP, BDB, BH, BIB, BPR, BSA, BTR, BUP, BWB, BZ, BZ2, C, C86, CAC, CBL, CC, CDB, CDR, CGI, CMD, CNT, COB, COL, CPP, CPT, CRP, CRU, CSC, CSS, CSV, CTX, CVS, CWB, CWK, CXE, CXX, CYP, D, DB, DB0, DB1, DB2, DB3, DB4, DBA, DBB, DBC, DBD, DBE, DBF, DBK, DBM, DBO, DBQ, DBT, DBX, DFM, DJVU, DIC, DIF, DM, DMD, DOC, DOK, DOT, DOX, DSC, DWG, DXF, DXR, EPS, EXP, F, FAS, FAX, FDB, FLA, FLB, FRM, FM, FOX, FRM, FRT, FRX, FSL, GTD, GIF , .GZ, GZIP, H, HA, HH, HJT, HOG, HPP, HTM, HTML, HTX, ICE, ICF, INC, ISH, ISO, JAR, JAD, JAVA, JPG, JPEG, JS, JSP, KEY, KWM, LST, LWP, LZH, LZS, LZW, MA, MAK, MAN, MAQ, MAR, MBX, MDB, MDF, MID, MO, MYD, OBJ, OLD, P12, PAK, PAS, PDF, PEM, PFX, PHP, PHP3, PHP4, PGP, PKR, PL, PM3, PM4, PM5, PM6, PNG, PPT, PPS, PRF, PRX, PS, PSD, PST, PW, PWA, PWL, PWM, PWP, PXL, PY, RAR, RES, RLE, RMR, RND, RTF, SAFE, SAR, SKR, SLN, SWF, SQL, TAR, TBB, TEX, TGA, TGZ, TIF, TIFF, TXT, VB, VP, WPS, XCR, XLS, XML and ZIP.
These extensions include Word documents, Excel spreadsheets, Access databases, text files, JPG pictures, files compressed using WinZip, WinRAR and ARJ, etc.
- The user will not be able to open those files until they are decrypted. Sinowal.FY instructs users to send a message to an email address so that they can buy the decrypter.
- It connects to the website http://marti<blocked>.net/pajero, where it stores a record of the infections it has made: computer's name, IP address and infection data and time.
Infection strategy
Sinowal.FY creates the following files:
- NTOS.EXE, in the Windows system directory. This file is a copy of the trojan .
- ??.TMP in the Windows temporary directory.
where ?? stands for two random characters.
- AUDIO.DLL and VIDEO.DLL in the subfolder WSNPOEM, created by itself, of the Windows system directory.
- READ_ME.TXT. It creates a file like this in each subfolder in which it has encripted any file. This text file contains the following message:
Hello,
your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: trista<blocked>lam@gmail.com and provide us
your personal code -1270430. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
Sinowal.FY creates the following entry in the registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
WinCode = %encryption key%
where %encryption key% is a random value and is the reference key of the file encryption.
Sinowal.FY modifies the following entry from the registry :
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
UserInit = %sysdir%\userinit.exe
where %sysdir% is the Windows system directory.
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
UserInit = %sysdir%\userinit.exe, %sysdir%\ntos.exe
By modifying this entry, Sinowal.FY ensures that it is run whenever Windows is started.
Means of transmission
Sinowal.FY does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, P2P file sharing networks, etc.
Further Details
Sinowal.FYis 40,448 bytes in size.
|