Vicrypt, Antivicrypt and Trojan.Ramvicrype Rumours.
03 Nov 2009
This concerns issues and rumours regarding viCrypt, Antivicrypt and trojan.Ramvicrype. Let’s officially make it clear how Exquisys Software Technology Ltd came out with the Antivicrypt solution.
Story of the Antivicrypt Solution:
One of our computers got infected by the Vicrypt Malware in the end of August 2009 with downloads coming from rapidshare links. We noticed a slow down of our computer and checked the process monitor to see what was the cause. We saw that regdtopt.exe was consuming some of the processor time and soon after an error message appeared with "Vicrypt Error". Restarted the computer, same happened and there were entries of regdtopt.exe in the windows registry. Lots of files were corrupted, specially in the My Documents folder. Changing back the extension brought no result. We had so much of important files. At that time there was no real solution which existed for that. While doing a search on google, only results like download vicrypt, download vicrypt from rapidshare, download vicrypt from warez and things like these came up. Since we knew that the cause of all this mess was due to regdtopt.exe, we decompiled the file to a low level programming language to see what was in there. We noticed that regdtopt.exe uses Rc4 algorithm to encrypt file headers. Therefore we gathered all the character sequences from the decompiled regdtopt.exe to find out what was the possible key used in the Rc4 algorithm, starting with a txt file, re-encrypting the entire file which would lead to decrypting the beginning of the file. The key used came out to be “regdtopt.exe” which was the malware’s filename. Then we started checking with groups of 5 bytes to determine how many bytes does Vicrypt corrupt. We could get this information from the decompiled regdtopt.exe, but this would take us a longer time since it was in a low level language. Therefore after running more than 50 checks, we came to a conclusion that Vicrypt or regdtopt.exe corrupts or encrypts the first 35 bytes for files of type txt, doc and xls while it is the first 10 bytes for the other file types. We then developed a tool to repair all our files and it worked perfectly. The solution was very easy to develop but a little time consuming. We named the tool as Antivicrypt (reversing the effect of Vicrypt) and had put the solution on our website. It came out to be shown on the third page of Google’s search result. We then did a software press release so that everyone could be aware of the solution. Later on we optimized our products page so that it could have a better page rank and the solution is more visible to everyone experiencing the vicrypt error.
Why Antivicrypt was a charged service?
Let's give an example here: why does Symantec, McAfee and others charge for their Antivirus solutions?
Why are Antivirus companies not blamed for the release and propagation of viruses?
Since we were the first to discover a solution, we had put it online so that it can be useful for others and we did not have enough resources to release Antivicrypt as freeware. Due to the fact that we seemed to be the first to workout a solution for vicrypt and there was no valid competitor on the horizon at that time, we thought of it being a profitable business. These were the reasons Antivicrypt was not free in the beginning. But Exquisys Software Technology Ltd didn’t put the price as high as the others are charging. We saw another solution for the vicrypt problem who was charging $75 which was not really adequate for the problem, instead it would mess up the files, but our solution was just at $29 for a single license. It was fair enough. Without forgetting, most of the new technologies and software solutions developed do charge for their services. Even Symantec and most others charge for their Antivirus tools. We also offered a free 7 files repair when Antivicrypt was not free where users could repair up to 7 files free of charge, thus recovering 7 of their most important files.
How Antivicrypt became free?
Many people were saying that Antivicrypt works perfectly and smoothly in recovering files corrupted by Vicrypt or Trojan.Ramvicrype. Lots of them were students pleading us for a free registration key so as to recover their projects, important works and also businesses who suffered severe file loss. We did give some of them free registration keys while some we gave coupon codes for discounts. Students did not have means to purchase for the charged service of Antivicrypt, thus they would have no means to recover their important works. Therefore we took the decision to release Antivicrypt as a freeware so that students and businesses can be saved and benefit from us.
Some questions and doubts we all may have in mind:
Some people have noticed the presence of Vicrypt or Trojan.Ramvicrype in 2008 and our product Antivicrypt was released in September 2009.
So why is CNET directly blaming us and Symantec among others indirectly blaming us for the release of Vicrypt or Trojan.Ramvicrype? Is it because we have a solution for that? Or is it because a Mauritian company has been the first in the world to find an adequate solution, much before other bigger companies could?
Why are Antivirus companies not blamed for the creation and propagation of viruses?
Symantec released the FixRamvicrype tool for free and they should have done it of course since the vicrypt malware or Trojan.Ramvicrype passed under the nose of Norton Internet security undetected, ravaging people's files in the background. It is very obvious for them to release FixRamvicrype as a free tool to erase what Norton Internet Security failed to do since they are already getting their money with NIS.
Why is the Vicrypt malware or Trojan.Ramvicrype called a ransomeware by Symantec?
Is it because our Antivicrypt’s web page showed up on the first page of Google’s search result and our press release showed up in many pages of Google’s search? Symantec is wrong on that! Think of this, if the Vicrypt corrupts files in the system folder, the user will definitely not be able to access the internet to search for a tool or solution regarding the malware. In the worst case, the system may crash which will lead to formatting the hard disk or re-installing windows. If emails are themselves encrypted or corrupted, how can users buy a solution where licenses and registration keys are delivered via email? Therefore it can’t be a ransomware. Symantec must take in consideration all these issues before declaring the Vicrypt malware as ransomware. Truth is that Symantec does not know under which category to place this malware. Seeing that paid solution existed to solve this issue and that they failed to recognize Vicrypt, they just named it as a ransomware.
Exquisys Software Technology has openly and officially made it clear that they have a solution for it. Exquisys Software Technology Ltd did not mask itself in this matter. From our point of view, Trojan.Ramvicrype or Vicrypt may be a joke or someone trying to defeat Windows security systems or even trying to defeat Antiviruses for something bigger. Since we already have a solution for Vicrypt and this is becoming alarming, either the creators of the malware did not get time to reveal their goal behind its creation or they are now scared to reveal it.
Norton Internet security automatically did not notice the presence of Vicrypt or what the file regdtopt.exe was doing. It was only when the files were sent to them for analysis that they could bring forward a solution. By the time, thousands of people were already infected. Is Symantec trying to cover up for what their NIS 2010 could not detect or regdtopt.exe passed close to their NIS unrecognized?
Why did Symantec close their forum’s thread regarding Vicrypt as soon they discovered Antivicrypt was free? Would that slow down their marketing using FixRamvicrype to attract more people to buy Norton Internet Security?
FixRamvicrype from Symantec does not offer as much options as Antivicrypt does. If you have specific files corrupted on a removable media, you will have to wait for FixRamvicrype to finish checking all drives of the computer which takes several minutes while Antivicrypt is more flexible and allows you to select specific locations for repairing the corrupted or encrypted files.
We’ve also noticed that regdtopt.exe does not copy itself to various locations in the computer, it simply adds false entries to the registry except for the first entry of regdtopt.exe under the string value “Optim1”. But it does search for various locations to corrupt files.
We demand official apology from CNET and others for trying to defame Exquisys Software Technology Ltd by writing articles on our company without even contacting us regarding this issue. From what we can see, Symantec did not mention Exquisys Software Technology for the news we released about Antivicrypt. But CNET did mentioning "Symantec said". This seems pure conspiracy! There were also other proposed solutions for the vicrypt problem which came in google search. Is it because we did not offer CNET a minimum of 30% affiliate comission when Antivicrypt was a charged service and that's the reason Elinor Mills of CNET news converted the story in such a way to defame us? Or is it a conspiracy of Symantec and CNET against Exquisys Software Technology Ltd since they are ashamed that we had a perfect working solution much before they did?
Are they trying to get famous while spreading rumours on other companies? Note that Exquisys Software Technology Ltd has been the first in the whole world to come with a working solution for the Vicrypt problem and others are now trying to make stories out of it to get famous.
We have also proved and made it clear how we reached the solution.