Home / malware Trojan:Win32/Tobfy.A
First posted on 22 September 2012.
Source: MicrosoftAliases :
Trojan:Win32/Tobfy.A is also known as Trojan.Win32.Buzus.lzqq (Kaspersky), W32/Cridex.R (Norman), TR/Buzus.lzqq (Avira), Gen:Variant.Graftor.41228 (BitDefender), Trojan.Winlock.6673 (Dr.Web), Win32/LockScreen.AKU trojan (ESET), TROJ_SPNR.0BI312 (Trend Micro).
Explanation :
Trojan:Win32/Tobfy.A is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image.
The image contains fake instructions and misleading information about a ransom that you need to pay to regain control of your computer. The image misleadingly invokes legal authorities in an attempt to convince you to pay the ransom.
Installation
Trojan:Win32/Tobfy.A may have a random file name. It may be a hidden file.
It creates the following registry entry to allow it to automatically run every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<malware file name>"
Payload
Terminates processes
Trojan:Win32/Tobfy.A terminates the following process names if they are currently running in your computer:
- cmd.exe - Command prompt
- msconfig.exe - System configuration utility
- regedit.exe - Registry editor
- taskmgr.exe - Task manager
It also closes windows that have the title "Program Manager".
Disables drivers and services
Trojan:Win32/Tobfy.A disables devices, services, and drivers when the computer starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry keys:
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net
Blocks computer access
Trojan:Win32/Tobfy.A prevents you from accessing your computer by displaying an image similar to the following:
The image contains instructions and information about a ransom payment to allow you to regain access to your computer. However, the image may invoke a legal authority in an attempt to add false credibility to its request. The legal authority is in no way actually connected to the image.
The image is downloaded from certain websites.
Analysis by Zarestel Ferrer
Last update 22 September 2012