By Jeremy Kirk
OCTOBER 25, 2005
IDG NEWS SERVICE
Two new versions of a virus first reported in May are staging renewed
attacks against computers in Russia, encrypting files and then
extorting money from victims to decode the files.
After an infection, the Russian-language instructions let victims know
how many of their files have been encrypted. Translated, the warning
says, "If you want to get these damn files in the decrypted format"
then write to the e-mail address given. The message goes on to say,
"P.S. And be thankful that they were not completely erased!"
The viruses, called JuNy.A and JuNy.B, search for more than 100 file
types by extension, according to a warning issued by Websense Inc. The
renewed attack was first reported on a weblog published by Kaspersky
So far, the viruses appear to be limited to Russia, and it's not known
how many computers have been affected. The viruses are similar to one
that struck in May called "gpcode," said David Emm, senior technology
consultant for Kaspersky in the U.K. The gpcode included an e-mail
address where presumably a fee for the decoder would be negotiated, he
"As I understand, this thing was progressive, and it would gradually
encrypt more and more stuff," Emm said.
Left alone, the virus would encrypt everything but a text file, Emm
said. It's suspected that the virus enters a computer after a user
visits a certain Web site and then exploits a vulnerability, Emm said.
Another theory is the virus is activated after a user runs some type
of executable code containing the virus, Emm said.
But it isn't easy tracing the origins of the viruses because "by the
time you get to hear of these things it's kind of erasing information
on the host machine," Emm said.
Virus writers who seek to extort money from victims are nothing new
and have been around since at least 1989, Emm said. In the last couple
of years, however, virus writers have moved away from writing
malicious code simply to display their skills and are increasingly
trying to make money, he said.
InfoSec News v2.0 - Coming Soon!