Home / malware Trojan:HTML/Ransom.A
First posted on 04 May 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:HTML/Ransom.A.
Explanation :
Trojan:HTML/Ransom.A is an HTML component used by Trojan:Win32/Reveton.A. Trojan:Win32/Reveton.A locks your computer and displays a webpage that covers the entire desktop. The webpage falsely claims that you possess illicit material and then demands payment.
Reveton.A connects to a remote host in order to download the HTML webpage that it displays on your desktop. THis page is detected as Trojan:HTML/Ransom.A. In the wild, we've observed Reveton connecting to the following hosts to download this content:
- criminal.dutrasherard.biz
- police11.provenprotection.net
- credit.shadowpirate.com
The displayed webpage contains a warning with frightening allegations that the computer has accessed "pornographic content, elements of violence and child pornography." The message also states that your computer has been "locked" and that you are "obliged to pay a fine to unlock". You can see an example of this webpage below:
The aim of this attack is to steal user accounts for the electronic payment services Ukash and Paysafecard. Any acccount information entered is captured and sent to a remote server at IP €œ91.195.254.86€Â. Our research indicates that this server may be located in Russia.
Analysis by Patrick Estavillo
Last update 04 May 2012