Virus Hold Computer Files 'Hostage' for $200

dwayner79 sent in a story about a new virus making the rounds- this one is unique because it locks your files and then demands a $200 ransom to get them back. It seems to me that this might leave some sort of tracable money trail. They don't have much information on any particular transmission mechanism, they just talk about web pages giving it up.

Must be a real moron

[Kosi]

because his "blackmail-letter" is a file called attention!!!.txt, containing this:

Some files are coded.
To buy decoder mail: n781567@yahoo.com
with subject: PGPcoder 000000000032

Re:It won't get a penny from me...

[HadenT]

Why not:
generate random key, encrypt data with it (symmetric),
encrypt that key with public one (stored in virus itself), destroy random key, give victim encrypted key.
Victim sends encrypted key to author, he decrypts it using his private key and sends it back.

Re:I call hoax

[t123]

try the websense website with more detailed information.

The original infection occurs when the user visits a malicious website that exploits a previous vulnerability in Microsoft Internet Explorer. This vulnerability allows applications to run without user intervention. The malicious website uses the Windows help subsystem and a CHM file to download and run a Trojan Horse (download-aag). The downloader then connects, via HTTP, to another malicious website. This website hosts the application that encodes files on the user's local hard disk and on any mapped drives on the machine. The malicious code also drops a message onto the system with instructions on how to buy the tool needed to decode the files. This message includes the email address of a third party to contact for instructions, and the user is directed to deposit money into an online E-Gold account.

Re:I call hoax

[XMyth]

http://securityresponse.symantec.com/avcenter/venc /data/trojan.pgpcoder.html

Re:Finally!

[Dusabre]

WATCH OUT!

There is a thumbnail!

Re:Wow

[httptech]

Yes, funny funny. In context, though, you have to know the question the reporter asked me, which was, "Do you think this software was a test, or do you think it was malicious?"

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Re:Crypto Question

[swillden]

If you have just two files its still extremely hard... you need something like 2^23 files to do it in a reasonable amount of time (assuming RSA+IDEA).

This post is incorrect. Probably a semi-subtle troll rather than an honest error.

Neither RSA nor IDEA is vulnerable to a known-plaintext attack. In fact, any cipher that is vulnerable to such an attack is considered completely insecure, especially if only 2^23 "files" are needed.

If you get to choose the contents of one of the files its only about 2^17.

Neither RSA nor IDEA is vulnerable to a chosen-plaintext attack. There were some chosen-plaintext attacks against RSA a few years back (mid 90s), but proper padding eliminates them. And far more than 2^17 trials were required for typical key sizes. Again, no cipher that was vulnerable to such an attack would be considered secure.

Obviosly, if the keys are larger, it will take exponentially longer.

Larger than what? Are you assuming extremely small key sizes in order to achieve the numbers above? Actually, you don't get to pick the size of an IDEA key, because IDEA keys are 128 bits. Though you can arbitrarily fix key bits to produce a smaller effective key, there's no reason why the virus writer would want to do that.