|Detected||Aug 19 2010 10:01 GMT|
|Released||Aug 20 2010 03:59 GMT|
|Published||Mar 18 2011 10:14 GMT|
This Trojan stops the computer from functioning normally in order to obtain a ransom for restoring the system to its initial condition. It is a Windows application (PE EXE file). It is 73 216 bytes in size. It is written in C++.
Once launched, the Trojan copies its body to the file:
%ALLUSERSPROFILE%\TempDir\mspro32.scrScripts are also created for the command interpreter:
%ALLUSERSPROFILE%\TempDir\rdb.bat (96 bytes) %ALLUSERSPROFILE%\TempDir\start.bat (71 bytes)The scripts contain the following strings, in corresponding order:
@echo off cd %ALLUSERSPROFILE%\TempDir\ echo>"mspro32.scr:Zone.Identifier" @echo off cd %ALLUSERSPROFILE%\TempDir\ mspro32.scrTo ensure that the copy created is launched automatically each time the system is rebooted, the following system registry key is created:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "AAPatch" = "%allusersprofile%\TempDir\start.bat"The Trojan also disables the User Account Control (UAC) by changing the system registry key value:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system] "EnableLUA" = "0"The Trojan then launches the previously created copy for execution and ceases running.
Once launched, the Trojan carries out the following actions:
[HKLM\Software\LtuSoftware] "Prefix" = "8638"
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
taskkill /f /im mspro32.scr
%ALLUSERSPROFILE%\TempDir\mspro32.scr %ALLUSERSPROFILE%\TempDir\rdb.bat %ALLUSERSPROFILE%\TempDir\start.bat
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "AAPatch" = "%allusersprofile%\TempDir\start.bat" [HKLM\Software\LtuSoftware] "Prefix" = "8638"
This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.