Home / malware Trojan:Win32/Ransom.Q
First posted on 16 November 2012.
Source: MicrosoftAliases :
Trojan:Win32/Ransom.Q is also known as TR/Crypt.ZPACK.Gen (other), Trojan-Ransom.Win32.Chameleon.p (Kaspersky), Worm.Win32.Rimecud.a (Sunbelt Software), Trojan.Ransomlock.C (Symantec).
Explanation :
Trojan:Win32/Ransom.Q is a trojan that terminates specific applications on an affected user's computer. The trojan requests that the affected user send a text message to a premium-charge number in order to receive a response code used to render the affected computer usable. Installation Trojan:Win32/Ransom.Q may be installed by other malware and may be present as a file "mfo.exe" in the Windows folder, with an icon resembling a Microsoft PowerPoint data file: When run, it modifies the registry to run the trojan at each Windows start. Adds value: "mfo.exe"With data: "%windir%\mfo.exe"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Payload Terminates processesWhen run, it attempts to end the following processes, some of which may be present on the affected computer: anvir.exe - security-related program
chrome.exe - Web browser application explorer.exe - Windows shell
iexplorer.exe (note "Internet Explorer" application name is "iexplore.exe")
icq.exe - Internet chat client
msnmsgr.exe - Internet chat client
mirc.exe - Internet chat client
msconfig.exe - Windows utility
opera.exe - Web browser application
regedit.exe - Windows utility
regedt32.exe - Windows utility
texpl.exe - RusTex Cyrillic text processing component When the Windows shell is terminated, many common user operations are disabled. Locks Machine/Demands RansomWhen the affected machine is restarted, it displays the following message, demanding the user send a text to a premium-charge number: The general message above claims to be from Microsoft Corporation however the number provided uses an incorrect country code (+4 instead of +7) and is not a Microsoft support number. The message also states that the installed version of Windows is not valid and to unlock the system, send a (paid SMS) message to a phone number listed to receive an unlocking code. Note, the unlocking code is always 13616 and was hard-coded within the trojan. Additional InformationMore information about the Russian version of Windows and support is available at the following link: http://www.microsoft.com/ru/ru/default.aspx
Analysis by Dan NicolescuLast update 16 November 2012