New Worm Locks Documents with Password

By Lucian Constantin on September 6th, 2010 14:18 GMT

Malware researchers from Panda Security warn of a new worm, which locks all documents, presentations or emails found on infected computers with a password.

Dubbed Clippo.A, the worm copies itself as PICTURE.EXE and SOUND.EXE to all folders on the system, as well as to removable drives or network shares where it has write permissions.

Its payload involves dropping a file called FILE.EXE in the root of the C: drive and adding a "load=c:\film.exe" startup registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows.

Most importantly, the worm sets a 721709031350 password to any Word document, PowerPoint presentation or Outlook email it finds.

Malicious programs, that block access to important files or operating system features usually ask for money in order to restore normal functionality.

Such programs are collectively known as ransomware,but this doesn't appear to be the case with this threat.

"[…] The purpose of this worm is not to obtain financial gains but just to annoy users," the Panda Security researchers note.

Clippo stands to show that even though it is a rare occurrence these days, file damaging malware is not extinct.

Today's business-oriented cybercriminal landscape forces malware authors to focus on stealth and information stealing capabilities.

This worm does not follow that direction. It does not present its creators with any monetizing opportunities and does not attempt to fly under the radar; quite the opposite.

The most prominent family of malware which breaks files and is still actively developed is called Sality and is composed of file infecting viruses.

Clippo affects Windows 2003 and XP, as well as previous versions of the operating system that are no longer actively supported by Microsoft.

It can be rendered inactive by manually removing the registry entry and deleting the c:\file.exe file, but a full system scan with a capable and up-to-date antivirus program is highly recommended.

The network shares accessible from an infected computer and all removable storage devices plugged into it should also be scanned.
Clippo worm sets password to documents
   Clippo worm sets password to documents
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

2 Comments