Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelModerate threat
DistributionNot widespread
Common name:Cryzip.A
Technical name:Trj/Cryzip.A
Threat level:Low

It compresses user files in password-protected ZIP files, so that affected users will not be able to open them until they enter the correct password.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:March 13, 2006
Detection updated on:March 15, 2006

Brief Description 


Cryzip.A is a Trojan that compresses in password-protected ZIP format all the files with any of the following extensions: ARH, ARJ (files compressed with ARJ), ASM, BAS, C, CDR, CGI, CHM, CPP, DB, DB1, DB2, DBF, DBT, DBX, DOC (Word documents), DPR, DSW, FRM, FRT, FRX, GTD, GZ, GZIP, JPG, KEY, KWM, LST, MAN, MDB (Access databases), MMF, MO, OLD, P12, PAK, PAS, PDF, PEM, PGP, PL, PWL, PWM, RAR (files compressed with WinRAR), RTF, SAFE, TAR, TXT (text files), XLS (Excel spreadsheets), XML and ZIP (files compressed with WinZip).

Users will not be able to open those files until they enter the password. Cryzip.A creates a text file with instructions about how to pay for the password using e-gold.

If you have been affected by this Trojan, the password to decompress the files is the following:
C:\Program Files\Microsoft Visual Studio\VC98

Cryzip.A does not spread automatically by its own means. It needs an attacking user's intervention in order to reach the affected computer.

Visible Symptoms 


Cryzip.A is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

However, if you cannot find any files with the extensions mentioned above and instead of them, there are files whose names contain the text string _CRYPT_.ZIP, your computer is likely to have been affected by Cryzip.A.