Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.
Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.
Previously posted blogs on the subject of Ransomware can be found at:
Symantec Security Response has found a new threat that spreads through Renren.com, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."
Viewing the Flash video results in concealed JavaScript being executed while the video is playing.
The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.
Symantec Security has received a sample ofan Ichitaro document that contains a currently unknown exploit. This isnot necessarily surprising as most software has vulnerabilities but auser who opens the document will surely be hit with a surprise.
Symantec detects the malicious document as Trojan.Tarodrop.D. When it is opened, malware is dropped onto the compromised computer, which Symantec detects as Trojan Horse. The dropped Trojan in turn drops more malware (detected as Hacktool.Keylogger) that logs keystroke and sends the stolen information to cvnxus.8800.org on TCP port 443.
UPDATE We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.
Blaster, Sasser, W32.Rinbot.BC We have observed that the time taken from exploit code being...
