Home / malware Trojan:Win32/Tobfy.S
First posted on 12 April 2013.
Source: MicrosoftAliases :
Trojan:Win32/Tobfy.S is also known as Trojan-Ransom.Win32.Blocker.axwg (Kaspersky), TR/Ransom.Blocker.axwg (Avira), Trojan-Ransom.Win32.Blocker (Ikarus), Ransom-FASE!2ABB7296B05E (McAfee), TROJ_RANSOM.EJN (Trend Micro).
Explanation :
Installation
It may have the following file names:
- displayswitch.exe
- migautoplay.exe
It injects itself into the legitimate "<system folder>\svchost.exe".
It automatically runs every time Windows starts.
Payload
Prevents your computer from starting in Safe Boot correctly
If you're running Windows XP, this trojan disables devices, services, and drivers if your computer starts in Safe Mode. It does this by renaming the following registry keys:
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net
Prevents certain programs from running
This trojan prevents certain programs from running. It stops programs with the following file names:
- a2cmd.exe
- chrome.exe
- cmd.exe
- firefox.exe
- iexplore.exe
- msconfig.exe
- ollydbg.exe
- opera.exe
- regedit.exe
- rstrui.exe
- safari.exe
- start.exe
- systemexplorer.exe
- taskmgr.exe
It also closes windows that have the title "Program Manager".
Blocks computer access
It prevents you from accessing your computer by displaying an image similar to the following:
It downloads the image from the following servers:
- 194.28.173.218
- 188.190.126.117
Analysis by Stefan Sellmer
Last update 12 April 2013
