|Detected||Nov 15 2010 11:06 GMT|
|Released||Nov 15 2010 17:59 GMT|
|Published||Mar 23 2011 12:30 GMT|
This Trojan stops the computer from functioning in order to obtain a ransom for restoring it. It is a Windows application (PE EXE file). It is 46 080 bytes in size. It is written in Delphi.
In order to ensure that it is launched automatically each time the system is restarted, the Trojan adds a link to its executable file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "<path to original Trojan file<"
This Trojan assigns "hidden" and "system" attributes to its file. It then performs the following actions:
[HKLM\Software\Microsoft\Outlook Express] "palo" = "<rnd1>" "num" = "<rnd2>"where <rnd1> is the current date and time in an encrypted form, which comprises 10 digits, for example: "1092554318"
<rnd2> is the number to refill the account, displayed to the user. It is randomly selected from the list:
896***29451 898***36548 898***36585 898***32746 898***36591 898***36528
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system] "DisableTaskMgr" = "1"
In an endless cycle it also gets the current time and matches it against the system registry key value:
[HKLM\Software\Microsoft\Outlook Express] "palo" = "<rnd1>"This way the Trojan ceases running 48 hours since its first launch.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
%Temporary Internet Files%
md5: 6A06F4E5486F7C57B938F4FB6B542960 sha1: FBAFAD67B9E04513BD83EA5410B43EA0BB20CD34
This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.