1. /
  2. Security Response/
  3. W32.Crypto

W32.Crypto

Risk Level 1: Very Low

Discovered:
December 30, 1999
Updated:
February 13, 2007 11:33:11 AM
Also Known As:
Win32/Crypto
Type:
Virus

W32.Crypto is not known to be in the wild yet. The payload for this virus is similar to the One_Half virus. This means the Crypto virus will encrypt the data on your hard drive, and if you remove the virus, the data will be inaccessible - and effectively held hostage. Crypto uses strong cryptographic algorithms to encrypt the data on the hard disk, making recovery unlikely without a backup.

W32.Crypto uses the Microsoft Crypto API to encrypt accessed DLLs on the system with an encryption key that is added by the virus to the infected system, and installed in the registry as:

SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A.

The virus first infects the operating system file KERNEL32.DLL. Once infected, KERNEL32.DLL controls all access to other DLLs on the system and the virus encrypts all such accessed DLL files. While the virus is active in memory, it will automatically decrypt encrypted DLL files so they can be used. However, if the virus is not active in memory, the DLLs will not be decrypted and the system will fail to work. Unless the virus is active and running, all DLL files that have been encrypted will be inaccessible. This means that an infected system can only be cleaned by restoring all affected DLL files from backup copies, and deleting all infected executable files. Data files are not encrypted by this release of the virus.

Antivirus Protection Dates

  • Initial Rapid Release version December 15, 2000
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version December 15, 2000 revision 041
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Low
Writeup By: Peter Szor

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver