Home / malware Trojan:Win32/Tobfy.N
First posted on 13 February 2013.
Source: MicrosoftAliases :
Trojan:Win32/Tobfy.N is also known as Win32/Kryptik.ASFW (ESET), Mal/EncPk-AFX (Sophos), PWS-Zbot.gen.aua (McAfee), TROJ_SIGEKAF.SM (Trend Micro), Trojan.MulDrop4.21912 (Dr.Web), Trojan.Ransomlock!g36 (Symantec), Trojan.Win32.Tobfy (Ikarus), Trojan/Win32.Blocker (AhnLab), Trojan-Ransom.Win32.Blocker.aiml (Kaspersky).
Explanation :
Trojan:Win32/Tobfy.N may be installed on your computer by other malware, or it may arrive on your computer via a drive-by download from a compromised website.
Installation
When run, Trojan:Win32/Tobfy.N drops a copy of itself as "ifgxpers.exe" in the %APPDATA% folder.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".
Trojan:Win32/Tobfy.N modifies the following registry entry to ensure its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Adobe ARM"
With data: "%APPDATA%\ifgxpers.exe"
Payload
Prevents you from accessing your desktop
When run, Trojan:Win32/Tobfy.N displays a full-screen message that covers all other windows, rendering your computer unusable (this full-screen message is also known as a "lock screen"). The message is a fake warning pretending to be from a legitimate institution.
The message demands the payment of a fine for the supposed possession of illicit material.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
The screen may appear similar to the following, which is pretending to be a message from the Federal Bureau of Investigation; the FBI:
Connects to remote servers
In the wild, we have observed Trojan:Win32/Tobfy.N downloading the lock screen messages from the following URLs:
- 95.163.107.212
- 62.76.44.199
Terminates processes
Trojan:Win32/Tobfy.N may terminate the following Windows system-related processes if they are currently running on your computer:
- cmd.exe - command prompt
- msconfig.exe - system configuration utility
- regedit.exe - registry editor
- taskmgr.exe - task manager
Additional information
We have observed Trojan:Win32/Tobfy.N using the legitimate payment and financial transfer service "Green Dot MoneyPak".
Note: This provider is not affiliated with Trojan:Win32/Tobfy.N.
If you believe you are a victim of fraud involving this service, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
- What to do if you are a victim of fraud
Analysis by Wei Li
Last update 13 February 2013
