Content

CryZip

Type
Trojan
SubType
Win32
Discovery Date
03/13/2006
Length
Minimum DAT
4717 (03/13/2006)
Updated DAT
4767 (05/22/2006)
Minimum Engine
5.1.00
Description Added
03/13/2006
Description Modified
03/13/2006 7:42 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

CryZip is a trojan that searches for certain file types on an infected machine, compresses these files and password protects the archive. It attempts to extort money from the victim in order for them to obtain the password to recover the encrypted files.

CryZip uses a commercial zip library in order to store files inside a password protected zip. The author decided to use the following password stored in clear text within the trojan body.

"C:\Program Files\Microsoft Visual Studio\VC98"

Because this string often appears inside projects compiled with Visual C++, the author figured anyone who found the infecting DLL and examined its strings looking for the password, would simply overlook it.

When run, this trojan injects itself into all running processes and searches for files using the following extensions, compresses them and password protects the archive. It then proceeds to delete the original file. It excludes searching for files in directories named "system" or "system32"

.arh
.asm
.arj
.bas
.cdr
.cgi
.chm
.cpp
.db1
.db2
.dbf
.dbt
.dbx
.doc
.dpr
.dsw
.frm
.frt
.frx
.gtd
.gzip
.jpg
.key
.kwm
.lst
.man
.mdb
.mmf
.old
.p12
.pas
.pak
.pdf
.pgp
.pwl
.pwm
.rar
.rtf
.safe
.tar
.txt
.xls
.xml
.zip

Encrypted files have the name "original-file-name_CRYPT_.ZIP".



The file AUTO_ZIP_REPORT.TXT is dropped into folders where the encrypted files are located. AUTO_ZIP_REPORT.TXT, contains information on how to decrypt the affected file and the number of an E-Gold account. This number is picked at random from a list embedded in the trojan. By operating many accounts simultaneously, the trojan author is betting that even if E-Gold shuts down most of the accounts, they will still receive payment on atleast some.

OUR E-GOLD ACCOUNT: XXXXXXX

INSTRUCTIONS HOW TO GET YUOR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.

This is automated report generated by auto archiving software.

Your computer catched our software while browsing illigal porn
pages, all your documents, text files, databases was archived
with long enought password.

You can not guess the password for your archived files - password
lenght is more then 10 symbols that makes all password recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).

Do not try to search for a program what encrypted your information - it
is simply do not exists in your hard disk anymore.
If you really care about documents and information in encrypted files
you can pay using electonic currency $300.
Reporting to police about a case will not help you, they do not know
password. Reporting somewhere about our e-gold account will not help
you to restore files. This is your only way to get yours files back.

------------------------------

How to pay to get your information back.

1. click on this link to open your free e-gold account - the first
screen is the e-gold "terms and conditions" page. You need to
agree to these by clicking on the "I AGREE" button on the bottom
on the page.
2. On the next page is the sign up form:
1. "Account name" - here is where you name your account - tip:
make it easy to remember (as you will be asked for it) and
reasonably short, example, "John's e-gold", "My Money e-gold"
or perhaps "Felix" (whatever you like, just make it easy for
you to remember it).
2. "User Name" - here just repeat the account name (from 1 above).
3. "Point of Contact" - this is where you put our name, address,
phone number and email address (any email address can be used
here but it is recommended you use your ISP address - not a
free hotmail, etc address).
It is also recommended your also include a fax number
(don't have a fax number? This company offers free fax to email
services). Try and make it as easy as possible for e-gold to contact you.
4. "Passphrase" - this is the most important piece of information
connected to any e-gold account. We can not stress enough how
important it is that your passphrase is kept safe and secure.
5. "Turing Number Entry" - type the 6 numbers you see there into the input
box below.
6.  The last step click "Open"

On the next page it will tell you that your e-gold account number has been emailed to you.
check your email - you can expect to wait up to 5 minutes for your account number
to arrive. If it does not arrive after 5 minutes then that means the email address
you supplied was incorrect and you will have to open another new account (go through
and repeat what you just did above again).

To buy e-gold to your account please use official exchange services
http://www.me-gold.com/
http://www.goldex.net/
http://usece.com/

or try to search own way with
http://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_Links/Purchase_E-gold/index.html
http://www.google.com/search?hl=en&q=buy+e-gold&btnG=Google+Search

FINALLY when you bought e-gold you have to transfer $300 to our e-gold account.
In next 24 hours you will recieve $1 back to your account. Transfer details
of this $1 transfer will have a link to software that will automatically
unzip all your files back to normal state.

Next day login to your account https://www.e-gold.com/acct/login.html,
press History and press submit, you will see LINK TO UNZIP-software.

################################################################
Remember you are just $300 away from your files
################################################################

Symptoms

   •   Files overwritten with original-file-name_CRYPT_.ZIP 
   •   Presence of aforementioned AUTO_ZIP_REPORT.TXT text files

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • TROJ_CRYZIP.A (Trend Micro)
  • Trojan.Cryzip (Symantec)
  • Virus.Win32.Zippo.10 (Kaspersky)
  • W32/Zippo.10!tr (Fortinet)
  • Win32.Zippo.10 (BitDefender)
  • Win32/Zippo.10 (ESET)

Characteristics

Characteristics -

CryZip is a trojan that searches for certain file types on an infected machine, compresses these files and password protects the archive. It attempts to extort money from the victim in order for them to obtain the password to recover the encrypted files.

CryZip uses a commercial zip library in order to store files inside a password protected zip. The author decided to use the following password stored in clear text within the trojan body.

"C:\Program Files\Microsoft Visual Studio\VC98"

Because this string often appears inside projects compiled with Visual C++, the author figured anyone who found the infecting DLL and examined its strings looking for the password, would simply overlook it.

When run, this trojan injects itself into all running processes and searches for files using the following extensions, compresses them and password protects the archive. It then proceeds to delete the original file. It excludes searching for files in directories named "system" or "system32"

.arh
.asm
.arj
.bas
.cdr
.cgi
.chm
.cpp
.db1
.db2
.dbf
.dbt
.dbx
.doc
.dpr
.dsw
.frm
.frt
.frx
.gtd
.gzip
.jpg
.key
.kwm
.lst
.man
.mdb
.mmf
.old
.p12
.pas
.pak
.pdf
.pgp
.pwl
.pwm
.rar
.rtf
.safe
.tar
.txt
.xls
.xml
.zip

Encrypted files have the name "original-file-name_CRYPT_.ZIP".



The file AUTO_ZIP_REPORT.TXT is dropped into folders where the encrypted files are located. AUTO_ZIP_REPORT.TXT, contains information on how to decrypt the affected file and the number of an E-Gold account. This number is picked at random from a list embedded in the trojan. By operating many accounts simultaneously, the trojan author is betting that even if E-Gold shuts down most of the accounts, they will still receive payment on atleast some.

OUR E-GOLD ACCOUNT: XXXXXXX

INSTRUCTIONS HOW TO GET YUOR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.

This is automated report generated by auto archiving software.

Your computer catched our software while browsing illigal porn
pages, all your documents, text files, databases was archived
with long enought password.

You can not guess the password for your archived files - password
lenght is more then 10 symbols that makes all password recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).

Do not try to search for a program what encrypted your information - it
is simply do not exists in your hard disk anymore.
If you really care about documents and information in encrypted files
you can pay using electonic currency $300.
Reporting to police about a case will not help you, they do not know
password. Reporting somewhere about our e-gold account will not help
you to restore files. This is your only way to get yours files back.

------------------------------

How to pay to get your information back.

1. click on this link to open your free e-gold account - the first
screen is the e-gold "terms and conditions" page. You need to
agree to these by clicking on the "I AGREE" button on the bottom
on the page.
2. On the next page is the sign up form:
1. "Account name" - here is where you name your account - tip:
make it easy to remember (as you will be asked for it) and
reasonably short, example, "John's e-gold", "My Money e-gold"
or perhaps "Felix" (whatever you like, just make it easy for
you to remember it).
2. "User Name" - here just repeat the account name (from 1 above).
3. "Point of Contact" - this is where you put our name, address,
phone number and email address (any email address can be used
here but it is recommended you use your ISP address - not a
free hotmail, etc address).
It is also recommended your also include a fax number
(don't have a fax number? This company offers free fax to email
services). Try and make it as easy as possible for e-gold to contact you.
4. "Passphrase" - this is the most important piece of information
connected to any e-gold account. We can not stress enough how
important it is that your passphrase is kept safe and secure.
5. "Turing Number Entry" - type the 6 numbers you see there into the input
box below.
6.  The last step click "Open"

On the next page it will tell you that your e-gold account number has been emailed to you.
check your email - you can expect to wait up to 5 minutes for your account number
to arrive. If it does not arrive after 5 minutes then that means the email address
you supplied was incorrect and you will have to open another new account (go through
and repeat what you just did above again).

To buy e-gold to your account please use official exchange services
http://www.me-gold.com/
http://www.goldex.net/
http://usece.com/

or try to search own way with
http://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_Links/Purchase_E-gold/index.html
http://www.google.com/search?hl=en&q=buy+e-gold&btnG=Google+Search

FINALLY when you bought e-gold you have to transfer $300 to our e-gold account.
In next 24 hours you will recieve $1 back to your account. Transfer details
of this $1 transfer will have a link to software that will automatically
unzip all your files back to normal state.

Next day login to your account https://www.e-gold.com/acct/login.html,
press History and press submit, you will see LINK TO UNZIP-software.

################################################################
Remember you are just $300 away from your files
################################################################

Symptoms

Symptoms -

   •   Files overwritten with original-file-name_CRYPT_.ZIP 
   •   Presence of aforementioned AUTO_ZIP_REPORT.TXT text files

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A