An emerging piece of ransomware has evolved the capacity to infect files on victim’s computers, in what security vendor Trend Micro believes is a first for the virus type.
Researchers at the firm found that Virlock acts like a worm, infecting files on a machine so that it can replicate itself unless the system is thoroughly cleansed, whilst also locking a victim’s computer before demanding payment for its release.
Writing on its blog, Trend Micro said: "Once inside the computer, Virlock creates and modifies registry entries to avoid detection and ensure execution.
"It then locks the screen of the affected computer, disabling explorer.exe and preventing the use of taskmgr.exe. Meanwhile, it also checks the location of the affected system to display the appropriate image for the ransom message."
The hackers behind Virlock have also imbued it with evasive techniques that are increasingly a feature of modern malware, programming the malware so that its code is reconstituted each time it runs, making it harder to analyse.
The virus is also able to encrypt the host file with two layers, making it more difficult for security programs to find and remove it.
"If the infected system is not properly cleaned, even the presence of a single infected file will trigger the infection chain all over again," Trend Micro sad.
"Once Virlock gets into a system network, it will be all over the place; it can infect a whole network system without notice."
In an added feature, hackers have also used icons commonly found on removal drives to disguise the malware, making it more likely the virus will be transferred through flash drives.
