While Eugene’s busy taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.

Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.

Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 - even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly.

Interesting news on Trojan SMS Blockers (Winlock etc). These programs block Windows and demand a ransom in the form of a text message which is sent to short number for a fee. It's a very popular type of racket at the moment, both in Russia and a few other countries.

The whole affair has now reached the General Prosecutor’s office of Russia – the criminals have been identified and detained (or so it seems) and will be prosecuted in Moscow soon.

Altogether the criminals have earned an estimated 790,000 roubles, or $25K. Moreover, they have caused other damages by blocking or crashing a yet to be determined number of personal and company PCs. Very often people have needed to re-install the OS and all software and then restore data from backups - even after paying the ransom.

But I wanted to focus on the outcome – or the possible outcome of this incident, not on the investigation, arrests and so forth.

We've had a number of people contacting us with queries about 'Kaspersky Lab Antivirus Online' after their computer showed them this message:

 

The short answer is: it's certainly nothing to do with us! It's actually the payload of a primitive piece of ransomware, Trojan-Ransom.Win32.SMSer. The Trojan installs itself to the Windows directory, and shows this message when the computer is rebooted.

Mobile Trojans, which send SMS messages to premium pay numbers; fake antivirus software, which finds ‘infections’ on your computer that you’ll have to pay to have cured; Trojan ransomware, which prevents infected systems from functioning normally and demands money in return for restoring functionality.

All these types of malware get regular coverage and we’re seeing (and writing about them) on an ever more frequent basis.

And now we’ve got a sort of three-in-one, a nasty little program called Trojan.Win32.KillProc.am. So far, we’ve seen three variants of this, and two of them get detected under a different name - Trojan-Ransom.Win32.BHO.a and .b.

This Trojan is a Browser Helper Object which attacks Internet Explorer. If your machine is infected, you’re going to get a less than pleasant surprise. Instead of showing you your favourite sites, your browser will start to load part of Microsoft’s Russian site – the part devoted to antipiracy and legitimate software.

The latest Gpcode variant, which we wrote about here, is much less of a threat than its predecessors. The claims made by the author about the use of AES-256 and the enormous number of unique keys were a bluff. The author even didn’t use a public key in encryption, so all the information needed to decrypt files is right there in the body of the malicious program.

Our analysis shows that the Trojan uses the 3DES algorithm but the author dug up an off-the-peg Delphi component rather than going to the trouble of creating his own encryption routine. The Trojan's code is pretty messy throughout – and very different in style to previous versions of Gpcode – which indicates that the author isn't much of a programmer.

We've called this new variant Trojan-Ransom.Win32.Gpcode.am. Our antivirus updates include procedures for restoring encrypted files – so if you've fallen victim to Gpcode.am, just update your av databases and run a full scan of your machine. And because Gpcode was spread by another malicious program, P2P-Worm.Win32.Socks.fe, don't be surprised if your antivirus brings some other nasties to light.