Home / malwarePDF  

Trojan:Win32/Tobfy.I


First posted on 20 November 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Tobfy.I is also known as Trojan/Win32.PornoAsset (AhnLab), Trojan-Ransom.Win32.PornoAsset.auhp (Kaspersky), Trojan horse ScreenLocker.AA (AVG), Win32/LockScreen.ANX trojan (ESET), Trojan-Ransom.Win32.PornoAsset (Ikarus), Troj/Ransom-KI (Sophos), Trojan.Ransomlock.K (Symantec), TROJ_RANSOM.DBO (Trend Micro).

Explanation :



Trojan:Win32/Tobfy.I a ransomware trojan that targets users from certain countries. It locks your computer and displays a localized webpage that covers your desktop. It demands the payment of a fine for the supposed possession of illicit material.



Installation

Trojan:Win32/Tobfy.I may arrive in your computer via drive-by downloads. You may also inadvertently download it into your computer, as it has been known to pose as the installer for certain popular applications, such as "uTorrent.exe", "Skype.exe", "ICQ.exe", and "Opera.exe".

Depending on the variant and OS version, it may create the following registry entry to allow it to automatically run every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svñhîst"
With data: "<malware file name>"



Payload

Closes programs

Trojan:Win32/Tobfy.I closes program whose windows have the title "Program manager". This is the window title for a file named "progman.exe".

Blocks computer access

Trojan:Win32/Tobfy.I displays a full-screen page downloaded from a certain website. The page covers all other windows, rendering your programs inaccessible. It is a fake warning pretending to be from a legitimate institution, demanding the payment of a fine, supposedly because illegal content has been found in your computer.

These displayed webpages may be detected as variants of Trojan:HTML/Ransom, such as Trojan:HTML/Ransom.D.

These webpages may appear similar to the following:





We have observed Trojan:Win32/Tobfy.I downloading the webpages from the following servers:

  • 108.60.151.10
  • 62.76.40.105
  • 62.76.41.52
  • 62.76.41.86
  • 62.76.43.66
  • 62.76.44.160
  • 62.76.45.83
  • 62.76.46.248
  • 62.76.47.22
  • 62.76.47.234
  • 93.113.196.109
  • 95.211.26.28
  • afibadel.com
  • devisdert.us
  • devisderts.us
  • fantomeair.com
  • godsmarker.com
  • h934mmmctfu489ythm349fytfgbn.org
  • soeristore.com
  • test.ru
  • testeron2.com
  • websec105.com
  • websec525.com
  • yourhouse-security.ru
  • youtubescurren.pl


Takes webcam snapshots

Trojan:Win32/Tobfy.I uses your computer's webcam, if you have one installed, to show you your own video. This is likely an attempt to appear as if the threat of prosecution is legitimate, which may cause you to resort to paying the fine.

Additional information

Trojan:Win32/Tobfy.I will not continue to run if any of the following Windows classname, Windowsname pairs are found running in your computer:

  • gdkWindowToplevel, 0 - possibly a tool used to find hidden dialog boxes
  • PROCMON_WINDOW_CLASS, 0 - legitimate Process Monitor tool


This threat will also exit if it is running in a debugger program.



Analysis by Rodel Finones

Last update 20 November 2012

 

TOP

Malware :

Family: