Home / malwarePDF  

Trojan:Win32/Tobfy


First posted on 30 November 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Tobfy is also known as Trojan/Win32.Jorik (AhnLab), Trojan/Win32/PornoAsset (AhnLab), Trojan:Win32/Yakes (AhnLab), Trojan.Win32.Jorik.Zbot (Kaspersky), Trojan.Win32.Yakes (Kaspersky), Trojan-Ransom.Win32.PornoAsset (Kaspersky), W32/Kryptik (Norman), W32/Ransom (Norman), TR/Tobfy.H.15 (Avira), TR/Yakes.blvl (Avira), Trojan.Winlock (Dr.Web), Win32/LockScreen.ANX (ESET), Win32.LockScreen.AKU (ESET), Trojan.Win32.Tobfy (Ikarus), Trojan.Win32.Yakes (Ikarus) more.

Explanation :



Trojan:Win32/Tobfy is a family of ransomware trojans that targets users from certain countries. It locks your computer and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.

Some variants of Trojan:Win32/Tobfy may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection. For specific recovery information, please see the relevant variant's entry in the encyclopedia and the Additional recovery instructions in this entry.



Installation

Trojan:Win32/Tobfy may arrive on your computer via a drive-by download. The folders it downloads to may vary between installations of the ransomware.

You may also inadvertently download it - thinking you were downloading something else - as it has been known to pose as the installer for certain popular applications, such as uTorrent ("uTorrent.exe"), Skype ("Skype.exe"), ICQ ("ICQ.exe"), and Opera Browser ("Opera.exe").

Depending on the variant and the version of your operating system, it may modify any of the following registry entries to ensure its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svñhîst"
With data: "<malware file name>", for example "uTorrent.exe" or "Skype.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svñhîst"
With data: "<malware file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "GoogleChrome"
With data: "<malware file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Updater"
With data: "<malware file name>"

Some variants do not use a specific name for the "value", for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<malware file name>"



Payload

Prevents you from accessing your desktop

Variants of the Trojan:Win32/Tobfy family display a full-screen webpage that they download from a remote host (this page is also known as a "lock screen"). The page covers all other windows, rendering the computer unusable. It is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

These displayed webpages may be detected as a variant of the Trojan:HTML/Ransom family, such as Trojan:HTML/Ransom.D.

Some examples of localized webpages that variants of Trojan:Win32/Tobfy may display are reproduced here.

Images pretending to be from the Federal Bureau of Investigation; the FBI:





An image pretending to be from the International Police Organization; Interpol:



Some variants will also display message boxes such as the following:





Connects to remove servers

In the wild, we have observed Trojan:Win32/Tobfy downloading the webpages from the following URLs via HTTP port 80:

  • <removed>.105/picture.php
  • <removed>.109/picture.php
  • <removed>.132/hsodfhj2iebf/lic.php
  • <removed>.160/adm10187/lic.php
  • <removed>.160/picture.php
  • <removed>.188/410tta0ewm/lic.php
  • <removed>.191/admsec/lic.php
  • <removed>.22/picture.php
  • <removed>.234/picture.php
  • <removed>.248/picture.php
  • <removed>.28/zzmm/picture.php
  • <removed>.52/picture.php
  • <removed>.66/picture.php
  • <removed>.83/picture.php
  • <removed>.86/picture.php
  • <removed>.com/34534663525/lic.php
  • <removed>.com/adminka/lic.php
  • <removed>.com/picture.php
  • <removed>.com/ses/picture.php
  • <removed>.com/web500/picture.php
  • <removed>.hdd1.ru/Silence/read.php?nm=32432
  • <removed>.hdd1.ru/Silence/lic.php
  • <removed>.hopto.org/adm/lic.php
  • <removed>.la2host.ru/Silence/read.php?nm=32432
  • <removed>.org/lll/picture.php
  • <removed>.pl/ses/picture.php
  • <removed>.roshoster.com/Silence/lic.php
  • <removed>.ru/picture.php
  • <removed>.srv0.test-hf.ru/Silence/lic.php
  • <removed>.us/picture.php
  • <removed>.xclan.ru/Silence/lic.php
  • <removed>.xclan.ru/Silence/read.php?nm=32432
  • <removed>151.10/picture.php
  • <removed>156.30/adm27117/lic.php
  • <removed>156.30/adm52807/lic.php
  • <removed>160/adm27117/lic.php
  • <removed>-scripts.org/kjdhfls3u6/picture.php
  • <removed>-security.ru/app/picture.php
  • www2.<removed>.su/get.php?id=14


We have also observed the pages being downloaded from the following URLs:

  • <MachineID>.<removed>.su/get.php?id=14
  • <MachineID>.<removed>.ru/get.php?id=22


where <MachineID> is a unique number based on your hard drive's serial number.

Some of these URLs will only return webpages if your computer is located in a certain geographical location; others will return webpages regardless of your location.

Takes webcam snapshots

Trojan:Win32/Tobfy uses your computer's webcam, if you have one installed, to show you your own video. This is likely an attempt to make the threat of prosecution seem legitimate, which may encourage you into paying the "fine".

Some variants, such as Trojan:Win32/Tobfy.F, do not prevent access to your computer by presenting a lock screen. Instead, the variant will check if you have a webcam, attempt to capture still-images from your camera, and save them to a file as "%TEMP%\snapz.dib".

The variant sends this file to a website (for example, "diamondnet.info") via HTTP POST. (HTTP POST is a type of basic Internet communication between your computer and a website.)

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Terminates processes

Trojan:Win32/Tobfy terminates the following Windows system-related processes if they are currently running on your computer:

  • cmd.exe - command prompt
  • msconfig.exe - system configuration utility
  • regedit.exe - registry editor
  • taskmgr.exe - task manager


Trojan:Win32/Tobfy also closes windows that have the title "Program manager" (for example, "progman.exe").

Disables drivers and services

Trojan:Win32/Tobfy disables devices, services, and drivers when the computer starts in safe mode and safe mode with networking. It does this in two ways:

  1. It renames the following registry keys:
    • "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" is renamed to "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini"
    • "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" is renamed to "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net"
  2. It deletes the registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot="


It may do this to prevent you from booting into safe mode and attempting to disable the ransomware.

Additional information

Payment methods

We have observed Trojan:Win32/Tobfy using a variety of legitimate payment and financial transfer services, including the following:

  • Green Dot MoneyPak
  • Paysafecard
  • Ukash
  • Ultimate Game Card


Note: These providers are not affiliated with Trojan:Win32/Tobfy.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

  • What to do if you are a victim of fraud


Technical information

Variants of Trojan:Win32/Tobfy will not continue to run when any of the following Windows Classname, Windowname pairs are satisfied.

  • gdkWindowToplevel, 0 (possibly geany.exe, which is a tool used to find invisible dialog boxes)
  • PROCMON_WINDOW_CLASS, 0 (Procmon.exe, which is a process monitor from Sysinternals)


Variants of the family will also exit if the malware's process is running under a debugger.

Related encyclopedia entries

Trojan:HTML/Ransom.D

Trojan:Win32/Tobfy.F



Analysis by Rodel Finones

Last update 30 November 2012

 

TOP