Home / malware Ransom:Win32/Genasom.BG
First posted on 24 May 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Genasom.BG.
Explanation :
Threat behaviorTrojan:Win32/Ransom.BG is a trojan that prevents the user from accessing his desktop. It then forces the user to send an SMS to a premium number to regain access.
Installation
When executed, Trojan:Win32/Ransom.BG hides the taskbar window and the Task Manager window. It copies itself as the following file:Note:
\xxx_video.exe refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It also creates the following registry entry so that it automatically executes every time Windows starts: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: " \xxx_video.exe" With data: "Bigin"
Payload
Locks the computer
When executed, Trojan:Win32/Ransom.BG displays a full-screen application that tells the user to send an SMS to the number "89653041330" to receive a key to unlock the computer desktop. Without the key, the user cannot access the desktop.
Additional information
If you are infected by Trojan:Win32/Ransom.BG, you can enter the following unlock key to regain access to your desktop:
- 177885
Analysis by Marian Radu Symptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following file:
\xxx_video.exe - The presence of the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "\xxx_video.exe" With data: "Bigin" - You have been prevented from accessing your desktop by a message asking you to send an SMS to the number "89653041330".
Last update 24 May 2014
