Home / malware Trojan:Win32/Ransom.EZ
First posted on 26 July 2012.
Source: MicrosoftAliases :
Trojan:Win32/Ransom.EZ is also known as Trojan-Ransom.Win32.Gimemo.wrn (Kaspersky), W32/Ransom.BIB (Norman), TR/Ransom.EZ.361 (Avira), Trojan-Ransom.Win32.Gimemo (Ikarus), Troj/Ransom-HA (Sophos).
Explanation :
Trojan:Win32/Ransom.EZ is a trojan that prevents you from accessing your desktop. It displays a message screen stating that you need to send payment to a certain prepaid mobile account to unlock the desktop.
Installation
Trojan:Win32/Ransom.EZ may have a randomly-generated file name. It creates the following registry entries so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "<malware file name>"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "explorer"
With data: "<malware file name>"
Payload
Prevents you from accessing the desktop
Trojan:Win32/Ransom.EZ locks your desktop, preventing you from accessing it. It displays a message screen stating that illegal activity has been detected in your computer and that you have to send payment to a given mobile phone account to regain access. The screen may appear similar to the following:
This trojan claims that upon sending payment, you will be sent an unlock code to regain access. It also falsely claims association with Windows and Microsoft Security Essentials, when in fact this trojan has nothing to do whatsoever with Windows or Microsoft.
Analysis by Stefan Sellmer
Last update 26 July 2012