Home / malwarePDF  

Trojan:HTML/Ransom.D


First posted on 07 December 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:HTML/Ransom.D.

Explanation :



Trojan:HTML/Ransom.D is a HTML page used by the Trojan:Win32/Tobfy family of ransomware trojans.

For more information on ransomware, please see our FAQs on ransomware at http://www.microsoft.com/security/portal/Shared/Ransomware.aspx.

Trojan:HTML/Ransom.D covers your desktop and prevents you from accessing your computer. The page (also known as a "lock screen") demands the payment of a fine for the supposed possession of illicit material.

Some variants of Trojan:Win32/Tobfy may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection. For specific recovery information, please see the family's entry in the encyclopedia (Trojan:Win32/Tobfy) and the Additional recovery instructions in this entry.



Installation

Trojan:HTML/Ransom.D is installed by variants of the Trojan:Win32/Tobfy family. The variant connects to a remote host in order to download the HTML page that it displays on your desktop. This page is detected as Trojan:HTML/Ransom.D.

In the wild, we've observed variants of Trojan:Win32/Tobfy connecting to the following hosts to download this page:

  • <MachineID>.<removed>.su/get.php?id=14, where <MachineID> is a unique number based on your hard drive's serial number
  • hxxp ://<removed>.la2host.ru/Silence/read.php?nm=32432
  • hxxp ://<removed>.60.151.10/picture.php
  • hxxp ://<removed>.hopto.org/adm/lic.php


Payload

Prevents you from accessing your desktop

Variants of the Trojan:Win32/Tobfy display this page so that it covers all other windows, rendering your computer unusable. The page contains a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

Some examples of Trojan:HTML/Ransom.D are reproduced here.

An image pretending to be from the Federal Bureau of Investigation; the FBI:



An image pretending to be from the International Police Organization; Interpol:



Additional information

Payment methods

We have observed Trojan:Win32/Tobfy using a variety of legitimate payment and financial transfer services, including the following:

  • Green Dot MoneyPak
  • Paysafecard
  • Ukash
  • Ultimate Game Card


Note: These providers are not affiliated with Trojan:Win32/Tobfy.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

  • What to do if you are a victim of fraud
Related encyclopedia entries

Trojan:Win32/Tobfy



Analysis by Rodel Finones

Last update 07 December 2012

 

TOP