Home / malware Trojan:Win32/Ransom.DF
First posted on 15 November 2011.
Source: SecurityHomeAliases :
Trojan:Win32/Ransom.DF is also known as TR/Ransom.Ag.qd.1 (Avira), Trojan.Winlock.3314 (Dr.Web), TROJ_ZKRYPT.SMIH (Trend Micro).
Explanation :
Trojan:Win32/Ransom.DF is a trojan that prevents use of the affected computer, displays an alert message intended to alarm the user and may also display adult content. The trojan replaces important Windows system files with a copy of the trojan. Due to the damaging payload of this trojan, recovery includes re-installing files from a Windows installation disc, or via backup source.
Top
Trojan:Win32/Ransom.DF is a trojan that prevents use of the affected computer, displays an alert message intended to alarm the user and may also display adult content. The trojan replaces important Windows system files with a copy of the trojan. Due to the damaging payload of this trojan, recovery includes re-installing files from a Windows installation disc, or via backup source.
Installation
When run, the malware drops copies of the trojan as the following, resulting in overwriting critical Windows system files:The trojan is also written as the following files:
- %windir%\explorer.exe
- %windir%\System32\taskmgr.exe
- %windir%\System32\userinit.exe
- %windir%\System32\dllcache\taskmgr.exe
- %windir%\System32\dllcache\userinit.exe
The registry is modified to run the trojan copy at each Windows start.In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSets value: "Shell"To data: "%APPDATA%\22cc6c32.exe"
- %windir%\System32\03014d3f.exe
- %APPDATA%\22cc6c32.exe
Payload
Disables Windows
The trojan blocks use of the computer, resulting in an undesired user experience and an inoperable computer.
Displays an alertThe trojan displays an alert message designed to alarm the user:
Analysis by Tim LiuLast update 15 November 2011
