sobota 25. února 2012

Trojan:Win32/Ransom.DR


Encyclopedia entry
Updated: Aug 01, 2011  |  Published: Jun 10, 2011

Aliases
  • Trojan-Ransom.Win32.Fullscreen.jo (Kaspersky)
  • Trojan.Winlock.3333 (Dr.Web)
  • Win32/LockScreen.AGU trojan (ESET)
  • Trojan-Ransom.Win32.Fullscreen (Ikarus)
  • Ransom!ds (McAfee)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.359.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.105.1740.0
Released: Jun 10, 2011


 

Summary

Trojan:Win32/Ransom.DR is ransomware that prevents user access to the affected computer by covering the desktop with a certain image. The image covering the desktop contains instruction for the user to send an SMS to a premium number in order to regain control of the desktop.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • It prevents user access to the affected computer by displaying an image that covers the entire desktop. The image contains instructions to send an SMS to a premium number in order to regain access to the computer.
  • You cannot access the following processes:
    • EXPLORER.EXE
    • TASKMGR.EXE
  • You cannot control your mouse.
  • Your desktop may have been replaced with the following image:


 

Technical Information (Analysis)

Trojan:Win32/Ransom.DR is ransomware that prevents user access to the affected computer by covering the desktop with a certain image. The image covering the desktop contains instruction for the user to send an SMS to a premium number in order to regain control of the desktop.
Installation
Trojan:Win32/Ransom.DR may arrive in the computer with a random file name. Upon execution, Trojan:Win32/Ransom.DR modifies its file attributes to hidden.
It creates a registry entry to allow it to automatically run every time Windows starts.
Payload
Disables drivers and services
Trojan:Win32/Ransom.DR disables devices, services and drivers when the computer starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry key:
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal - renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\M
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network - renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\N
Blocks computer access
Trojan:Win32/Ransom.DR prevents user access to the affected computer by displaying an image that covers the entire desktop. The image contains instructions to send an SMS to a premium number in order to regain access to the computer. The image may look similar to the following:
It also terminates "EXPLORER.EXE" and "TASKMGR.EXE" and disables mouse cursor control.
Analysis by Zarestel Ferrer

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.