Home / malware Ransom:Win32/Genasom.CF
First posted on 24 May 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Genasom.CF.
Explanation :
Threat behaviorTrojan:Win32/Ransom.CF is a trojan that prevents the user from accessing his desktop. It then forces the user to send an SMS to a premium number to regain access.
Installation
Trojan:Win32/Ransom.CF creates the following registry entries so that it automatically runs every time Windows starts: In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: "Shell" With data: "" In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot Sets value: "AlternateShell" With data: " "
Payload
Disables Task Manager
Trojan:Win32/Ransom.CF disables Task Manager by modifying the registry entry below: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Sets value: "DisableTaskMgr" With data: "1" Prevents the user from accessing the desktop
Trojan:Win32/Ransom.CF displays a full-screen message that the user must send an SMS to a premium number to regain access to the computer. If the user does not do this, the user cannot access his computer programs.
Analysis by Elda Dimakiling Symptoms
System changes
The following system changes may indicate the presence of this malware:
- A full-screen image appears on your desktop that prevents you from accessing your computer's programs
- You cannot access Task Manager
Last update 24 May 2014
