- December 30, 1999
- February 13, 2007 11:33:11 AM
Also Known As:
W32.Crypto is not known to be in the wild yet. The payload for this virus is similar to the One_Half virus. This means the Crypto virus will encrypt the data on your hard drive, and if you remove the virus, the data will be inaccessible - and effectively held hostage. Crypto uses strong cryptographic algorithms to encrypt the data on the hard disk, making recovery unlikely without a backup.
W32.Crypto uses the Microsoft Crypto API to encrypt accessed DLLs on the system with an encryption key that is added by the virus to the infected system, and installed in the registry as:
The virus first infects the operating system file KERNEL32.DLL. Once infected, KERNEL32.DLL controls all access to other DLLs on the system and the virus encrypts all such accessed DLL files. While the virus is active in memory, it will automatically decrypt encrypted DLL files so they can be used. However, if the virus is not active in memory, the DLLs will not be decrypted and the system will fail to work. Unless the virus is active and running, all DLL files that have been encrypted will be inaccessible. This means that an infected system can only be cleaned by restoring all affected DLL files from backup copies, and deleting all infected executable files. Data files are not encrypted by this release of the virus.
Antivirus Protection Dates
Initial Rapid Release version December 15, 2000
Latest Rapid Release version September 28, 2010 revision 054
Initial Daily Certified version December 15, 2000 revision 041
Latest Daily Certified version September 28, 2010 revision 036
Initial Weekly Certified release date pending
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Peter Szor