Internet threat level: 1
Home→Descriptions→Trojan-Ransom.Win32.PornoBlocker.bdi
Trojan-Ransom.Win32.PornoBlocker.bdi
| Detected | Nov 15 2010 11:06 GMT |
| Released | Nov 15 2010 17:59 GMT |
| Published | Mar 23 2011 12:30 GMT |
Payload
Removal instructions
Technical Details
This Trojan stops the computer from functioning in order to obtain a ransom for restoring it. It is a Windows application (PE EXE file). It is 46 080 bytes in size. It is written in Delphi.
Installation
In order to ensure that it is launched automatically each time the system is restarted, the Trojan adds a link to its executable file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "<path to original Trojan file<"
Payload
This Trojan assigns "hidden" and "system" attributes to its file. It then performs the following actions:
- It adds the following entries to the system registry keys:
[HKLM\Software\Microsoft\Outlook Express] "palo" = "<rnd1>" "num" = "<rnd2>"
where <rnd1> is the current date and time in an encrypted form, which comprises 10 digits, for example: "1092554318"<rnd2> is the number to refill the account, displayed to the user. It is randomly selected from the list:
896***29451 898***36548 898***36585 898***32746 898***36591 898***36528
- It disables the Windows Task Manager by creating the following system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system] "DisableTaskMgr" = "1"
- The Trojan displays its window and in an endless cycle places the input focus in this window:
In an endless cycle it also gets the current time and matches it against the system registry key value:
[HKLM\Software\Microsoft\Outlook Express] "palo" = "<rnd1>"This way the Trojan ceases running 48 hours since its first launch.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Input the following unblocking code:
BENOLIMA1
- Empty the Temporary Internet Files directory:
%Temporary Internet Files%
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
md5: 6A06F4E5486F7C57B938F4FB6B542960 sha1: FBAFAD67B9E04513BD83EA5410B43EA0BB20CD34
This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.
Trojan-Ransom.
- Trojan:
Generic. dx!uwu (McAfee) - Mal/Generic-L (Sophos)
- Generic Trojan (Panda)
- Trojan:
Win32/Ransom. BO (MS(OneCare)) - Trojan.
Winlock. 2543 (DrWeb) - a variant of Win32/LockScreen.
WT trojan (Nod32) - Gen:
Trojan. Heur. DP. cGW@aSobQgbc (BitDef7) - Trojan.
PornoBlocker!5vhbkbII7Tg (VirusBuster) - Win32:
Regrun-BO [Trj] (AVAST) - Trojan-Ransom.
Win32. PornoBlocker (Ikarus) - LockScreen.
W (AVG) - Trojan.
Gen (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Trojan.
PornoBlocker!5vhbkbII7Tg (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.