Threatening Zippo Trojan gets its password cracked

By Matt Whipp

Posted on 15 Mar 2006 at 14:19

Security experts at Sophos say they have cracked the password needed to recover documents encrypted and held to ransom by a virus.

Sophos says the Trojan known as Zippo encrypts the documents on systems it infects and then demands $300 - about £175 - for the password to release them. While companies that make regular backups will be able to continue business simply by restoring the data, anyone that hasn't taken such precautions will need to unlock their files.

Graham Cluley, senior technology consultant at the company told us that reports of the attack are currently few and far between. The common vector for infection appears to be through websites hosting the Trojan, which would have to be downloaded and run manually to be effective. Cluley added that the Trojan could also be circulating through file-sharing networks, perhaps posing as an entirely different file.

The Trojan demands that victims pay the ransom money to an eGold account. Cluley said the virus is programmed to use numerous eGold accounts so that should one be shut down, others will be available.

The password is then revealed through a link as part of a $1 refund sent back. The Trojan warns 'Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our e-gold account will not help you to restore files. This is your only way to get yours files back.'

However, Sophos says it has already cracked the password. It is 'C:\Program Files\Microsoft Visual Studio\VC98'.

Cluley told us that Sophos had seen similar low-level extortion attempts of this nature in Russian. Although it is relatively unusual to now see this in English, Cluley said he wouldn't be surprised to see more in the future as financially-motivated attacks become more common.

He said it was now the authorities' task to follow the money trail and find those behind the attack.