A new attack uses an unpatched Internet Explorer flaw to install a Trojan that essentially then holds computer files on infected systems hostage.
Users become infected by browsing a malicious Web site if they haven't applied Microsoft patch MS04-023. The site uses the Windows help subsystem and a .chm file to upload a Trojan that Websense Security Labs called Download-AAG. It then connects to another malicious site for further instructions, which encodes files on the user's local hard disk and mapped drives and drops a message into the system that tells the infected user how to buy the decoder through an online E-Gold account.
San Diego-based Websense said it has received several reports of the attack from its customers.
The Associated Press reported that this type of attack has been dubbed "ransom-ware" and that the attacker demands $200 for the decoding software. The AP said Websense discovered the attack when an unidentified corporate customer fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets. The article reports that the attack encoded at least 15 different types of data files.
The IE flaw was labeled "critical" by Microsoft when it was released last July. Experts recommend vulnerable IE users apply the patch immediately. Vulnerable versions include:
- Windows 2000 SP2, SP3 and SP4
- Windows XP and Windows XP SP1
- Windows XP 64-Bit Edition SP1
- Windows XP 64-Bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-Bit Edition
Antivirus provider Symantec identifies the malware as Trojan.Pgpcoder and ranked it a low threat because it is not self-propogating. However, the AV vendor acknowledged the malware represents a growing trend among "for-profit" online criminals. "This Trojan horse is certainly an example of using cryptography for malicious purposes," said Oliver Friedrichs, senior manager of Symantec Security Response, in a statement. "It is the equivalent of someone coming into your home, locking your valuables in a safe and refusing to give you the combination."
This article originally appeared on SearchSecurity.com.