‘Scareware’ Trojan holds users to ransom

New version of Vundo scrambles users’ files

A Trojan that normally peddles bogus anti-virus ‘scareware’ has hit on a new way of persuading users to part with money for a worthless licence – it encrypts their data first.  The concept of encrypting data on an infected PC has been seen several times since 2005, but the new version of the Vundo Trojan reported to be doing the rounds by security company FireEye is the first to tie straight extortion to a conventional rogue anti-virus software scam.

The company doesn’t fully detail how the program infects users – Trojans such as this sometimes exploit the Windows autorun vulnerability – but once on a system it sets out to encrypt various file types it finds on the host system, including .jpgs, PDFs and Word .doc files, after which it presents a piece of rogueware called FileFix Pro 2009 as the way to unlock the now inaccessible files.

Luckily, it appears that the encryption method is crude enough that one of FireEye’s technical staff was able to write a Perl script able to unscramble a victim’s files without the need to pay the $40 license fee.

Users unlucky enough to have encountered the crypto version of Vundo can upload files to the FireEye website for decoding free of charge.

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=14026
http://blog.fireeye.com/research/2009/03/filefix-professional-2009-cryptanalysis.html

Leave a Reply