Win32/Ransom [Threat Name] go to Threat

Win32/Ransom.B [Threat Variant Name]

Category trojan
Size 86016 B
Detection created Apr 10, 2009
Detection database version 3999
Aliases Trojan-Ransom.Win32.Agent.d (Kaspersky)
  Trojan.Horse (Symantec)
  TROJ_LOCKER.A (TrendMicro)
Short description

Win32/Ransom.B is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed the trojan displays the following dialog box:

The trojan does not create any copies of itself.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "UserInit" = "%system%\­userinit.exe,%filepath%"

This causes the trojan to be executed on every system start, even in Safe Mode.

Other information

If the current system date and time matches certain conditions, the trojan removes itself from the computer.


The trojan disables the following key combinations: ALT + F4 .


The trojan may perform operating system restart.


The trojan creates the following files:

  • a.bat
  • %filename%.bin

The trojan contains a list of (1) URLs.


It can send various information about the infected computer.


The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.