Win32/Ransom [Threat Name] go to Threat

Win32/Ransom.H [Threat Variant Name]

Category trojan
Size 421383 B
Aliases Trojan-Ransom.Win32.BlueScreen.f (Kaspersky)
  Trojan.Ransom.BlueScr.F (McAfee)
Short description

Win32/Ransom.H is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­sysstem.exe (421383 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "sysman" = "%temp%\­sysstem.exe"
    • "wincfg" = "%filepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "sysman" = "%temp%\­sysstem.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AutoRestartShell" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
Other information

The trojan displays the following dialog box:

When the correct password is entered the trojan removes itself from the computer.


The password to regain access to the operating system is one of the following:

  • himydarling

The trojan disables the following key combinations:

  • ALT + F4

.

Please enable Javascript to ensure correct displaying of this content and refresh this page.