Win32/Ransom [Threat Name] go to Threat

Win32/Ransom.I [Threat Variant Name]

Category trojan
Size 36864 B
Detection created May 13, 2009
Detection database version 4070
Aliases Trojan-Ransom.Win32.Agent.t (Kaspersky)
  Trojan.Blackmailer.1139 (Dr.Web)
  Ransom!a (McAfee)
Short description

Win32/Ransom.I is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­winsvc.exe (36864 B)

The trojan creates the following files:

  • %appdata%\­msbios.dat

The following file is dropped into the %startup% folder:

  • Acro.lnk

This causes the trojan to be executed on every system start.

Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • 572244

Please enable Javascript to ensure correct displaying of this content and refresh this page.