TR/Zippo.10 - Trojan

A voir aussi

Brève description

Description complète

Statistiques

Nom:	TR/Zippo.10
La date de la découverte:	17/03/2006
Type:	Cheval de Troie
En circulation:	Oui
Infections signalées	Faible
Potentiel de distribution:	Faible
Potentiel de destruction:	Faible
Fichier statique:	Oui
Taille du fichier:	1.191.936 Octets
Somme de contrôle MD5:	86a48836bced8c4a0B59fca972800890
Version VDF:	6.34.00.56

Général Méthode de propagation:
   • Il ne possède pas de propre routine de propagation

Les alias:
   • Symantec: Trojan.Cryzip
   • Mcafee: CryZip
   • Kaspersky: Trojan.Win32.Cryzip.a
   • TrendMicro: TROJ_CRYZIP.A
   • F-Secure: Trojan.Win32.Cryzip.a
   • Sophos: Troj/Zippo-A
   • Panda: Trj/Cryzip.A
   • Eset: Win32/Cryzip.A
   • Bitdefender: Win32.Zippo.10

Avant, il était détecté comme:
   • W32/Zippo.10

Fichiers Archivage:
Le Malware crée les archives dans lequels les fichiers sont enregistrés.

On analyse l'archive suivant:
   • %tous les dossiers%

Le processus omet les fichiers qui contiennent une chaîne de characters mentionnées ci-dessous:
   • SYSTEM
   • SYSTEM32

On analyse les types de fichier mentionnés ci-après:
   • *.arh; *.asm; *.arj; *.bas; *.cdr; *.cgi; *.chm; *.cpp; *.db; *.db1;
      *.db2; *.dbf; *.dbt; *.dbx; *.doc; *.dpr; *.dsw; *.frm; *.frt; *.frx;
      *.gtd; *.gz; *.gzip; *.jpg; *.key; *.kwm; *.lst; *.man; *.mdb; *.mmf;
      *.mo; *.old; *.p12; *.pas; *.pak; *.pdf; *.pgp; *.pl; *.pwl; *.pwm;
      *.rar; *.rtf; *.safe; *.tar; *.txt; *.xls; *.xml; *.zip

Voilà le nom du fichier comprimé:
   • %nom du fichier originel%_CRYPT_.ZIP

L'archive est protegé par le mot de passe suivant:
   • C:\Program Files\Microsoft Visual Studio\VC98

Ensuite le fichier originel est supprimé.

Les fichiers suivants sont créés:

– %tous les dossiers%\AUTO_ZIP_REPORT.TXT Ceci est un fichier texte non malveillant avec le contenu suivant:
   • OUR E-GOLD ACCOUNT: %nombre%

     INSTRUCTIONS HOW TO GET YUOR FILES BACK
     READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.

     This is automated report generated by auto archiving software.

     Your computer catched our software while browsing illigal porn
     pages, all your documents, text files, databases was archived
     with long enought password.

     You can not guess the password for your archived files - password
     lenght is more then 10 symbols that makes all password recovery
     programs fail to bruteforce it (guess password by trying all
     possible combinations).

     Do not try to search for a program what encrypted your information - it
     is simply do not exists in your hard disk anymore.
     If you really care about documents and information in encrypted files
     you can pay using electonic currency $300.
     Reporting to police about a case will not help you, they do not know
     password. Reporting somewhere about our e-gold account will not help
     you to restore files. This is your only way to get yours files back.

     ------------------------------

     How to pay to get your information back.

     1. click on this link to open your free e-gold account - the first
      screen is the e-gold "terms and conditions" page. You need to
      agree to these by clicking on the "I AGREE" button on the bottom
      on the page.
     2. On the next page is the sign up form:
      1. "Account name" - here is where you name your account - tip:
      make it easy to remember (as you will be asked for it) and
      reasonably short, example, "John's e-gold", "My Money e-gold"
      or perhaps "Felix" (whatever you like, just make it easy for
      you to remember it).
      2. "User Name" - here just repeat the account name (from 1 above).
      3. "Point of Contact" - this is where you put our name, address,
      phone number and email address (any email address can be used
      here but it is recommended you use your ISP address - not a
      free hotmail, etc address).
      It is also recommended your also include a fax number
      (don't have a fax number? This company offers free fax to email
      services). Try and make it as easy as possible for e-gold to contact you.
      4. "Passphrase" - this is the most important piece of information
      connected to any e-gold account. We can not stress enough how
      important it is that your passphrase is kept safe and secure.
      5. "Turing Number Entry" - type the 6 numbers you see there into the input
      box below.
      6. The last step click "Open"

     On the next page it will tell you that your e-gold account number has been emailed to you.

     check your email - you can expect to wait up to 5 minutes for your account number
     to arrive. If it does not arrive after 5 minutes then that means the email address
     you supplied was incorrect and you will have to open another new account (go through
     and repeat what you just did above again).

     To buy e-gold to your account please use official exchange services
     http://www.me-gold.com/
     http://www.goldex.net/
     http://usece.com/

     or try to search own way with
     http://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_Links/Purchase_E-gold/index.html
     http://www.google.com/search?hl=en&q=buy+e-gold&btnG=Google+Search

     FINALLY when you bought e-gold you have to transfer $300 to our e-gold account.
     In next 24 hours you will recieve $1 back to your account. Transfer details
     of this $1 transfer will have a link to software that will automatically
     unzip all your files back to normal state.

     Next day login to your account https://www.e-gold.com/acct/login.html,
     press History and press submit, you will see LINK TO UNZIP-software.

     Remember you are just $300 away from your files

Détails de fichier Langage de programmation:
Le fichier a été écrit en MS Visual C++.

Voir la description brève ici.

Description inséré par Andrei Gherman sur Fri, 17 Mar 2006 15:18 (GMT+1)
Description mise à jour par Alexander Vukcevic sur Wed, 29 Mar 2006 15:36 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back