Symantec, the largest maker of security software is reporting about a new type of trojan horse named Trojan.Ramvicrype. This trojan uses the RC4 algorithm to encrypt files on infected computers and renders them unusable. The Trojan.Ramvicrype, like most other trojans are usually transmitted from porn and warez sites. A sure sign that your computer is infected by this trojan is the presence of files that have .vicrypt extensions.

Once your computer is infected, Trojan.Ramvicrype will search for files under My Documents, Desktop and Application DataIdentities and renames them with a .vicrypt extension. It also looks for links in the Recent folder and renames all the files in the folders that are pointed to by those links and encrypts each file’s head section. If you try to run any of those files, you’ll get a Vicrypt Error message. A worst case scenario would be a file from the Windows system folder has been recently opened, leading to the Trojan.Ramvicrype encrypting all files in the Windows System folder and critically damaging those files.

Here’s a screenshot of a computer infected by the Trojan.Ramvicrype displaying a “Vicrypt error! Please Restart Windows” message.
Vicrypt Error

Previously, victims of this trojan who were looking for a fix were directed to a site that offered a paid software called AntiVicrypt. Because of this, Symantec and other security companies believe that the Trojan.Ramvicrype is some sort of ransomware and that the company offering AntiVicrypt was also responsible for spreading the trojan. Later, AntiVicrypt was offered as shareware and the trial version was limited to repairing 7 files. As of this time, AntiVicrypt is now offered FREE. I don’t know about you but based on the initial outcome/results, I won’t be trusting this company or any of its products.

To address this issue and help users, Symantec Security Response has developed a free tool to decrypt the encrypted files. The link below not only contains the link to download the free tool but it also includes step-by-step guide on how to use the Trojan.Ramvicrype Removal Tool.

Download Symantec’s Trojan.Ramvicrype Removal Tool.

[image source: Symantec]

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more



Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.


  • Wania, February 12, 2010 @ 11:39 AM Reply

    Thanks. it helped me.

  • Arafat Hossain Piyada, December 29, 2009 @ 10:40 PM Reply

    Thanks for sharing. This is very interesting security utility indeed. I just tested it today and my PC passed the test. :)

  • gerader, November 11, 2009 @ 7:29 AM Reply

    Symantecs tool does not seem to offer a decryption. According to Symantecs site “The Removal Tool does the following:

    Terminates the associated processes
    letes the associated files
    Deletes the registry values added by the threat”

  • Srinivas, November 11, 2009 @ 12:23 AM Reply

    we can buy anti vicrypt for $40 to decrypt. never rename the file extension as this will lead to permanent corrupt of file.

  • Industry News, November 7, 2009 @ 12:08 AM Reply

    These creatures are worse than spammers. Surely they can be held accountable or investigated to ascertain whether or not they created the ransomware, and then prosecuted and/or shut down? The freedom associated with the internet does have its dark side too, and the onus is on you as the user to do as much as possible to eliminate risky behaviour.

  • Jhay, November 5, 2009 @ 6:58 PM Reply

    This trojan is a nasty one. Though it’s a little consolation that it just encrypts files instead of overwriting or deleting them altogether.

  • Michael, November 5, 2009 @ 7:57 AM Reply

    I am not yet a victim of this virus but incase it’ll swarm under my system, I already have a protection. Thanks jaypee, nice information.

  • cah ndeso, November 4, 2009 @ 8:39 PM Reply

    that information is interesting enough to follow up. I might know, since when the virus is circulating? so I can quickly anticipate. For the moment I am still using Kaspersky.

  • DiTesco, November 4, 2009 @ 12:38 PM Reply

    Wow. Fortunately, I have not been infected by this Trojan (yet, considering that I visit way too much porn sites, haha – just kidding). This will go on my never ending “read-it-later” in case I need a quick fix.. thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.