Virus Profile: Ransom-N

Threat Search

Virus Profile information details
Risk Assessment:	Home Low-Profiled \| Corporate Low-Profiled
Date Discovered:	11/3/2009
Date Added:	11/3/2009
Origin:	N/A
Length:	Varies
Type:	Trojan
Subtype:	Trojan
DAT Required:	5792
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

-- Update November 3, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/11/03/ransomware_ruse/

Ransom-N is a Trojan that on execution encrypts all the recently used files on the user's system.The user has to pay for the attackers' software to decrypt and recover their files.

Indication of Infection

Presence of files with the ".vicrypt" extension on the user's system.

Methods of Infection

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Aliases

Trojan.Ramvicrype (Symantec)

View Virus Characteristics

Virus Characteristics

Ransom-N is a Trojan that on execution encrypts all the recently used files on the user's system. The encrypted files are renamed with a ".vicrypt" extension.

Further the user is shown error messages like this:

The Trojan runs in the background and keeps encrypting files as they are used.

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations