Home / malwarePDF  

Ransom:Win32/Genasom.FS


First posted on 24 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Genasom.FS.

Explanation :

Threat behavior

Trojan:Win32/Ransom.FS is a ransomware that targets people in Switzerland. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.

Installation

Trojan:Win32/Ransom.FS modifies the system registry so that it automatically starts at every Windows starts, even if Windows is restarted in Safe Mode:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Modifies value: "Shell"
From data: "explorer.exe"
To data: ""

Payload

Prevents the user from accessing the desktop

Trojan:Win32/Ransom.FS displays a full-screen image that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution such as the Swiss Federal Department of Justice and Police. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.

The image may appear as the following:



The text roughly translates to:

Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is . From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities.

Trojan:Win32/Ransom.FS queries a legitimate IP address geolocation service to determine the country and the ISP from which the infected computer is connecting to the Internet.

Connects to remote servers

Trojan:Win32/Ransom.FS has been observed to connect to the following IP address; as of this writing, the server is unavailable:

  • 89.248..131


Terminates/suspends processes

Trojan:Win32/Ransom.FS attempts to perform the following actions every 100 milliseconds:

  • terminate taskmgr.exe
  • suspend explorer.exe




Analysis by Horea Coroiu

Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modification:
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    Modified value: "Shell"
    From data: "explorer.exe"
    To another value (which is the malware path and file name)
  • You see the following image covering your entire desktop screen:



Last update 24 May 2014

 

TOP

Malware :

Family: