Trojan.Ramvicrype
Trojan.Ramvicrype is a Trojan that will encrypt files on certain locations of the infected computer. Trojan.Ramvicrype will also modify the registry to be able to hook itself on start-up when Windows starts.
Alias: Ransom-N
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
This Trojan will search for files on folders ‘My Documents’, ‘Desktop’, and ‘Identities’. Then all extension of found files is replaced with .VICRYPT. Trojan.Ramvicrype also encrypts the header section of affected files to make it inaccessible.
Occasionally, or when user attempts to open the infected file, the Trojan will display the following message:
Vicrypt error! Please restart Windows
viCrypt: A problem occurred, Please Restart Windows
Distribution
Trojan.Ramvicrype can spread in a variety of ways. It often arrives as an attached file to spam email messages masquerading as chain letter or greeting card. There are also instances that another virus will download and execute this threat into the computer.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Optim1" = "regdtopt.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Optim2" = "%UserProfile%\My Documents\regdtopt.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Optim3" = "%UserAppData%\Identities\regdtopt.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Optim4" = "%UserProfile%\Desktop\regdtopt.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Optim[NUMBER]" = "[FOLDER CONTAINING INFECTED FILES]\regdtopt.exe"Associated Files and Folders:
%UserProfile%\My Documents\regdtopt.exe %UserAppData%\Identities\regdtopt.exe %UserProfile%\Desktop\regdtopt.exe
How to Remove Trojan.Ramvicrype
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan.Ramvicrype, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Trojan.Ramvicrype. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.
Arafat Hossain Piyada
Dec 30, 2009 @ 06:36:08
Thanks for sharing. This is very interesting security utility. You can get a removal tool for free in http://www.symantec.com/security_response/writeup.jsp?docid=2009-102708-2133-99