Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.
Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.
Previously posted blogs on the subject of Ransomware can be found at:
I know people are getting sick of malware, attacks, and blogs associated with recent celebrities’ deaths, especially over the past week. But, here we go again. Even a week after Michael Jackson's death was announced, some people refuse to accept that he is gone. Well, after 32 years, even some fanatic followers believe Elvis Presley is still alive.
Security Response has found a suspiciously titled PDF file named “Elvis_Presley_is_alive!!!.pdf.” Maybe Elvis really is still alive, but this particular Elvis has hellhounds with him in the form of exploit code and malware.
When the malicious PDF file is opened, users won’t see any pictures or articles on the aging “King of Rock 'n' Roll,” but instead the file tries to exploit three separate PDF vulnerabilities:
Look, here comes Santa...on his sleigh withRudolph the red-nosed reindeer and a computer. This year, he seems tohave decided to distribute free gifts through email...but with a catch.
An email that contains a link to a malicious file reportedly arrives as the following: Subject: Seasons Greetings Message Body:
listen up,
This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out. hxxp://merrychrist[REMOVED]
If you click on the links, you will find pictures of women dressedas "Mrs. Clause" on the site and the malicious file stripshow.exe,which is a new variant of Trojan.Peacomm.D, will be downloaded if you click on the picture.
UPDATE We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.
Blaster, Sasser, W32.Rinbot.BC We have observed that the time taken from exploit code being...
Recently, we have seen many files that undermine the spirit of the holiday season. These files are typically named postcard.exe, greeting postcard.exe, or greeting card.exe. The files usually arrive as email attachments, which we have detected as W32.Mixor.Q@mm. Once infected, the worm attempts to gather email addresses from the compromised computer. It then sends a mass email with a copy of itself to those addresses.
If sending the worm is not rude enough, it also drops a Trojan horse named Trojan.Galapoper.A. The Trojan attempts to download these unwanted Christmas presents onto the infected computer from the Internet.
To mitigate the attack, customers are advised to update their products to the...
