By Elinor Mills
November 2, 2009
Symantec is warning about a new Trojan horse that encrypts files on compromised computers but offers no ransom note like other software designed to hold data hostage for a fee.
Instead, a Web search for terms related to the Trojan horse leads to a company offering a way to remove the malware. The company offering the product used to charge for it but now offers it for free.
Trojan.Ramvicrype uses the RC4 algorithm to encrypt files on systems running Windows 98, 95, XP, Windows Me, Vista, NT, Windows Server 2003 and Windows 2000, according to Symantec's Web site.
Computers with files that have the .vicrypt extension are infected, a Symantec researcher wrote in a blog post this weekend.
A Web search for "vicrypt help" brings up a news release for a company called Exquisys Software Technology Ltd in Mauritius offering a product called Antivicrypt that will "repair and restore" files that are "damaged." Symantec reports that the company charges for the product.
Exquisys could not be reached for comment on Monday, which happens to be a national holiday in that country.
Meanwhile, Symantec is offering a free tool to decrypt the encrypted files.
However, there is a chance that an affected computer will not have access to the Internet to search for any tools, free or otherwise. If a file in the Windows system folder has recently been opened, all the files in the system folder will be encrypted and the user may be unable to access the Internet, Symantec said.
When the Trojan is executed it searches for files in MyDocuments, Desktop and Application Data\Identities and renames them with a .vicrypt extension. Then it looks for links in the Recent folder and renames all the files in the folders that are pointed to by links there and encrypts the head section of each file.
It then displays this warning: "Vicrypt error! Please Restart Windows."