Other versions: .ad, .ae, .af, .ag, .ai, .ak, .f
| Detection added |
Jan 26 2006 14:33 GMT |
| Update released |
Jan 26 2006 14:39 GMT |
| Description added |
Jan 31 2006 |
| Behavior |
Virus |
This file virus is a Windows PE EXE file, packed using UPX. The packed file
is approximately 61KB in size, and the unpacked file is approximately 134KB
in size.
The program was widely distributed throughout the Russian segment of the Internet
using spammer technologies.
Once launched, the virus encrypts files saved on the victim machine which
have the following extensions:
arh
arj
c
cdr
cgi
chm
cnt
cpp
css
csv
db
db1
db2
dbf
dbt
dbx
doc
flb
frm
frt
frx
gtd
gz
gzip
h
htm
html
key
kwm
lst
man
mdb
mmf
mo
old
p12
pak
pdf
pem
pfx
pgp
pl
prf
prx
pst
pwa
pwl
pwm
rar
rmr
rnd
rtf
safe
sar
sig
tar
tbb
txt
xls
xml
zip
The virus partly uses the RSA algorithm to encrypt files.
Once encrypted, files cannot be used. The author of the program then demands
money to decrypt the encrypted files. A file called 'readme.txt' appears in
folders where encrypted files are located. The file contains the following text
(although the email and the encryption key may differ):
Some files are coded by RSA method.
To buy decoder mail: *****sh34@rambler.ru
with subject: RSA 5 ********728578411
When contacted by the user, the author of the program will demand payment
for decrypting the encrypted files.
Users are reminded that they should be extremely cautious when faced with
attachments to suspicious messages. Additionally, users should not contact the
authors of malicious programs, nor pay them money, as this will simply act as
motivation to write new variants.
- Conduct a full scan of your computer using an updated version
of Kaspersky Anti-Virus(download a trial version).
- If the antivirus is unable to decrypt the infected file, please
send the infected file to newvirus@kaspersky.com (our virus laboratory) for analysis.
