Extortion virus makes rounds in Russia

Two new versions of a virus first reported in May are staging renewed attacks against computers in Russia, encrypting files and then extorting money from victims to decode the files.

After an infection, the Russian-language instructions let victims know how many of their files have been encrypted. Translated, the warning says, "If you want to get these damn files in the decrypted format" then write to the e-mail address given. The message goes on to say, "P.S. And be thankful that they were not completely erased!"

The viruses, called "JuNy.A" and "JuNy.B," search for more than 100 file types by extension, according to a warning issued by Websense Inc. The renewed attack was first reported on a Web log published by Kaspersky Lab.

So far, the viruses appear to be limited to Russia, and it's not known how many computers have been affected. The viruses are similar to one that struck in May called "gpcode," said David Emm, senior technology consultant for Kaspersky in the U.K. The "gpcode" included an e-mail address where presumably a fee for the decoder would be negotiated, he said.

"As I understand, this thing was progressive, and it would gradually encrypt more and more stuff," Emm said.

Left alone, the virus would encrypt everything but a text file, Emm said. It's suspected the virus enters a computer after a user visits a certain Web site, and it exploits a vulnerability, Emm said. Another theory is the virus is activated after a user runs some type of executable code containing the virus, Emm said.

But it isn't easy tracing the origins of the viruses because "by the time you get to hear of these things it's kind of erasing information on the host machine," Emm said.

Virus writers who seek to extort money from victims are nothing new and have been around since at least 1989, Emm said. In the last couple years, however, virus writers have moved away from writing malicious code simply to display their skills and are increasingly trying to make money, he said.