TR/Zippo.10 - Trojan

Siehe auch

Kurzfassung

Vollständig

Statistik

Name:	TR/Zippo.10
Entdeckt am:	17/03/2006
Art:	Trojan
In freier Wildbahn:	Ja
Gemeldete Infektionen:	Niedrig
Verbreitungspotenzial:	Niedrig
Schadenspotenzial:	Niedrig
Statische Datei:	Ja
Dateigröße:	1.191.936 Bytes
MD5 Prüfsumme:	86a48836bced8c4a0B59fca972800890
VDF Version:	6.34.00.56 - Thu, 16 Mar 2006 06:08 (GMT+1)

General Verbreitungsmethode:
   • Keine eigene Verbreitungsroutine

Aliases:
   • Symantec: Trojan.Cryzip
   • Mcafee: CryZip
   • Kaspersky: Trojan.Win32.Cryzip.a
   • TrendMicro: TROJ_CRYZIP.A
   • F-Secure: Trojan.Win32.Cryzip.a
   • Sophos: Troj/Zippo-A
   • Panda: Trj/Cryzip.A
   • Eset: Win32/Cryzip.A
   • Bitdefender: Win32.Zippo.10

Wurde zuvor wie folgt erkannt:
   • W32/Zippo.10

Dateien Archivierung:
Es werden Archivdateien erstellt und darin Dateien gespeichert.

Folgendes Verzeichnis wird durchsucht:
   • %alle Verzeichnisse%

Wobei Verzeichnisse welche einer der folgenden Zeichenketten enthalten ignoriert werden:
   • SYSTEM
   • SYSTEM32

Folgende Dateitypen werden in betracht gezogen:
   • *.arh; *.asm; *.arj; *.bas; *.cdr; *.cgi; *.chm; *.cpp; *.db; *.db1;
      *.db2; *.dbf; *.dbt; *.dbx; *.doc; *.dpr; *.dsw; *.frm; *.frt; *.frx;
      *.gtd; *.gz; *.gzip; *.jpg; *.key; *.kwm; *.lst; *.man; *.mdb; *.mmf;
      *.mo; *.old; *.p12; *.pas; *.pak; *.pdf; *.pgp; *.pl; *.pwl; *.pwm;
      *.rar; *.rtf; *.safe; *.tar; *.txt; *.xls; *.xml; *.zip

Der Dateiname des Archives is folgender:
   • %originaler Dateiname%_CRYPT_.ZIP

Die Archivdatei wird durch folgendes Passwort geschützt:
   • C:\Program Files\Microsoft Visual Studio\VC98

Die Originaldatei wird anschließend gelöscht.

Es werden folgende Dateien erstellt:

– %alle Verzeichnisse%\AUTO_ZIP_REPORT.TXT Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • OUR E-GOLD ACCOUNT: %Nummer%

     INSTRUCTIONS HOW TO GET YUOR FILES BACK
     READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.

     This is automated report generated by auto archiving software.

     Your computer catched our software while browsing illigal porn
     pages, all your documents, text files, databases was archived
     with long enought password.

     You can not guess the password for your archived files - password
     lenght is more then 10 symbols that makes all password recovery
     programs fail to bruteforce it (guess password by trying all
     possible combinations).

     Do not try to search for a program what encrypted your information - it
     is simply do not exists in your hard disk anymore.
     If you really care about documents and information in encrypted files
     you can pay using electonic currency $300.
     Reporting to police about a case will not help you, they do not know
     password. Reporting somewhere about our e-gold account will not help
     you to restore files. This is your only way to get yours files back.

     ------------------------------

     How to pay to get your information back.

     1. click on this link to open your free e-gold account - the first
      screen is the e-gold "terms and conditions" page. You need to
      agree to these by clicking on the "I AGREE" button on the bottom
      on the page.
     2. On the next page is the sign up form:
      1. "Account name" - here is where you name your account - tip:
      make it easy to remember (as you will be asked for it) and
      reasonably short, example, "John's e-gold", "My Money e-gold"
      or perhaps "Felix" (whatever you like, just make it easy for
      you to remember it).
      2. "User Name" - here just repeat the account name (from 1 above).
      3. "Point of Contact" - this is where you put our name, address,
      phone number and email address (any email address can be used
      here but it is recommended you use your ISP address - not a
      free hotmail, etc address).
      It is also recommended your also include a fax number
      (don't have a fax number? This company offers free fax to email
      services). Try and make it as easy as possible for e-gold to contact you.
      4. "Passphrase" - this is the most important piece of information
      connected to any e-gold account. We can not stress enough how
      important it is that your passphrase is kept safe and secure.
      5. "Turing Number Entry" - type the 6 numbers you see there into the input
      box below.
      6. The last step click "Open"

     On the next page it will tell you that your e-gold account number has been emailed to you.

     check your email - you can expect to wait up to 5 minutes for your account number
     to arrive. If it does not arrive after 5 minutes then that means the email address
     you supplied was incorrect and you will have to open another new account (go through
     and repeat what you just did above again).

     To buy e-gold to your account please use official exchange services
     http://www.me-gold.com/
     http://www.goldex.net/
     http://usece.com/

     or try to search own way with
     http://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_Links/Purchase_E-gold/index.html
     http://www.google.com/search?hl=en&q=buy+e-gold&btnG=Google+Search

     FINALLY when you bought e-gold you have to transfer $300 to our e-gold account.
     In next 24 hours you will recieve $1 back to your account. Transfer details
     of this $1 transfer will have a link to software that will automatically
     unzip all your files back to normal state.

     Next day login to your account https://www.e-gold.com/acct/login.html,
     press History and press submit, you will see LINK TO UNZIP-software.

     Remember you are just $300 away from your files

Datei Einzelheiten Programmiersprache:
Das Malware-Programm wurde in MS Visual C++ geschrieben.

Kurzfassung hier.

Beschreibung erstellt von Andrei Gherman am Fri, 17 Mar 2006 15:18 (GMT+1)
Beschreibung geändert von Alexander Vukcevic am Wed, 29 Mar 2006 15:36 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück