Home / malware Ransom:Win32/Genasom.Q
First posted on 24 May 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Genasom.Q.
Explanation :
Threat behaviorTrojan:Win32/Ransom.Q is a trojan that terminates specific applications on an affected user's computer. The trojan requests that the affected user send a text message to a premium-charge number in order to receive a response code used to render the affected computer usable.
Installation
Trojan:Win32/Ransom.Q may be installed by other malware and may be present as a file "mfo.exe" in the Windows folder, with an icon resembling a Microsoft PowerPoint data file: When run, it modifies the registry to run the trojan at each Windows start. Adds value: "mfo.exe"With data: "%windir%\mfo.exe"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Terminates processes
When run, it attempts to end the following processes, some of which may be present on the affected computer: anvir.exe - security-related program
chrome.exe - Web browser application explorer.exe - Windows shell
iexplorer.exe (note "Internet Explorer" application name is "iexplore.exe")
icq.exe - Internet chat client
msnmsgr.exe - Internet chat client
mirc.exe - Internet chat client
msconfig.exe - Windows utility
opera.exe - Web browser application
regedit.exe - Windows utility
regedt32.exe - Windows utility
texpl.exe - RusTex Cyrillic text processing component When the Windows shell is terminated, many common user operations are disabled. Locks Machine/Demands Ransom
When the affected machine is restarted, it displays the following message, demanding the user send a text to a premium-charge number: The general message above claims to be from Microsoft Corporation however the number provided uses an incorrect country code (+4 instead of +7) and is not a Microsoft support number. The message also states that the installed version of Windows is not valid and to unlock the system, send a (paid SMS) message to a phone number listed to receive an unlocking code. Note, the unlocking code is always 13616 and was hard-coded within the trojan.
Additional Information
More information about the Russian version of Windows and support is available at the following link: http://www.microsoft.com/ru/ru/default.aspx
Analysis by Dan NicolescuSymptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the file "%windir%\mfo.exe"
- The display of a graphic with reference to Microsoft Corp with an invalid phone number of
"+4 495-338-85-85" as in the following example:
Last update 24 May 2014
