Clippo.A worm Puts a Password to All the Office Documents

Clippo.A or Vbs/Clippo.A.worm is a new type of worm which locks office documents with password. According to Panda Security its a new worm first detected on Aug. 30, 2010. It prevents users from opening Office files (Word, Excel, PowerPoint, Outlook), as it puts a password in order to access them. It spreads through the folders of the system, the mapped and removable drives making copies of itself in them.

Clippo.A is a worm that carries out annoying actions for the users, as it puts a password to all the Office documents it finds in the computer and even in the removable drives, so that users cannot open them. This way users will have to enter a password when they want to open Word or Excel documents, PowerPoint presentations or Outlook emails. Unlike other similar malware samples, the purpose of this worm is not to obtain financial gains but just to annoy users, as it does not request any rescue for providing the password. Clippo.A spreads through the folders of the system, the mapped and the removable drives, making copies of itself in them.

Visible Symptoms: Clippo.A is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer. Clippo.A, the worm copies itself as PICTURE.EXE and SOUND.EXE to all folders on the system, as well as to removable drives or network shares where it has write permissions.
On the other hand, it creates a script called 1.VBE in the root directory of the C: drive, which copies the Windows Registry entry it modifies to be run whenever the computer is started.

Clippo.A modifies the following entry from the Windows Registry:
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
load = c:\film.exe
By modifying this entry, Clippo.A ensures that it is run whenever Windows is started.

Clippo.A is 86,016 bytes in size. The worm sets a 721709031350 password to any Word document, PowerPoint presentation or Outlook email it finds. Malicious programs, that block access to important files or operating system features usually ask for money in order to restore normal functionality.
Clippo affects Windows 2003 and XP, as well as previous versions of the operating system that are no longer actively supported by Microsoft. The network shares accessible from an infected computer and all removable storage devices plugged into it should also be scanned.