Home / malwarePDF  

Ransom:Win32/Genasom.FL


First posted on 24 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Genasom.FL.

Explanation :

Threat behavior

Trojan:Win32/Ransom.FL is a ransomware that targets people in several countries, including Germany and France. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.

Installation

Trojan:Win32/Ransom.FL copies the legitimate file "\explorer.exe" to "\twexx32.dll".

It then replaces the following files with a copy of itself:

  • \explorer.exe
  • \dllcache\explorer.exe


Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Payload

Prevents the user from accessing the desktop

Trojan:Win32/Ransom.FL displays a full-screen image that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution such as the German "Bundespolizei" or the French "Gendarmerie Nationale". It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.

The images may appear as the following:



The text roughly translates to:

An unlawful activity has been found! Warning!!! The operating system was locked for infringement against the laws of the Federal Republic of Germany! Your IP Address is . From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities.



The text roughly translates to:

Warning! Your computer was blocked due to violations of the laws of France. The following crimes have been found:

  • The distribution, editing or recording of pornographic material that involves underage persons.
  • Spam
  • Software usage that violates copyright laws
  • Multimedia file sharing that violates copyright laws


Users should note that these images are part of scare tactics used by the malware to force the user to pay. However, paying does not unlock the computer or remove this threat. Therefore if you are affected by this threat, it is recommended that you do not perform payment.

Trojan:Win32/Ransom.FL queries a legitimate IP address geolocation service to determine the country and the ISP from which the infected computer is connecting to the Internet.

Connects to remote servers

Trojan:Win32/Ransom.FL has been observed to connect to the following IP addresses:

  • 91.228..157
  • 95.57..214


Terminates processes

Trojan:Win32/Ransom.FL attempts to terminate the following processes every 100 milliseconds:

  • taskmgr.exe
  • procexp.exe




Analysis by Horea Coroiu

Symptoms

System changes

The following system changes may indicate the presence of this malware:

    • The presence of the following files:
      • %AppData%\ehxgckss4ws4jfi2.dat
      • \twexx32.dll
    • You see one of the following images covering your entire desktop screen:






Last update 24 May 2014

 

TOP

Malware :

Family: