sobota 25. února 2012

Trojan:Win32/Ransom.FL


Encyclopedia entry
Updated: Dec 19, 2011  |  Published: Oct 28, 2011

Aliases
  • W32/Ransom.UK (Norman)
  • Trojan.Winlock.4367 (Dr.Web)
  • Win32/LockScreen.AJA trojan (ESET)
  • Trojan-Ransom.Win32.Blocker (Ikarus)
  • Trojan-Ransom.Win32.Blocker.bly (Kaspersky)
  • Generic FakeAlert.fz (McAfee)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.359.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.115.102.0
Released: Oct 19, 2011


 

Summary

Trojan:Win32/Ransom.FL is a ransomware that targets people in several countries, including Germany and France. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • %AppData%\ehxgckss4ws4jfi2.dat
    • <system folder>\twexx32.dll
  • You see one of the following images covering your entire desktop screen:


 

Technical Information (Analysis)

Trojan:Win32/Ransom.FL is a ransomware that targets people in several countries, including Germany and France. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.
Installation
Trojan:Win32/Ransom.FL copies the legitimate file "<system folder>\explorer.exe" to "<system folder>\twexx32.dll".
It then replaces the following files with a copy of itself:
  • <system folder>\explorer.exe
  • <system folder>\dllcache\explorer.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XPVista, and 7 is C:\Windows\System32.
Payload
Prevents the user from accessing the desktop
Trojan:Win32/Ransom.FL displays a full-screen image that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution such as the German "Bundespolizei" or the French "Gendarmerie Nationale". It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.
The images may appear as the following:
The text roughly translates to:
An unlawful activity has been found! Warning!!! The operating system was locked for infringement against the laws of the Federal Republic of Germany! Your IP Address is <removed>. From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities.
The text roughly translates to:
Warning! Your computer was blocked due to violations of the laws of France. The following crimes have been found:
  • The distribution, editing or recording of pornographic material that involves underage persons.
  • Spam
  • Software usage that violates copyright laws
  • Multimedia file sharing that violates copyright laws
Users should note that these images are part of scare tactics used by the malware to force the user to pay. However, paying does not unlock the computer or remove this threat. Therefore if you are affected by this threat, it is recommended that you do not perform payment.
Trojan:Win32/Ransom.FL queries a legitimate IP address geolocation service to determine the country and the ISP from which the infected computer is connecting to the Internet.
Connects to remote servers
Trojan:Win32/Ransom.FL has been observed to connect to the following IP addresses:
  • 91.228.<removed>.157
  • 95.57.<removed>.214
Terminates processes
Trojan:Win32/Ransom.FL attempts to terminate the following processes every 100 milliseconds:
  • taskmgr.exe
  • procexp.exe
Analysis by Horea Coroiu

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.