English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Trojan-Ransom.Win32.XBlocker.bct

Trojan-Ransom.Win32.XBlocker.bct

Detected	Aug 19 2010 10:01 GMT
Released	Aug 20 2010 03:59 GMT
Published	Mar 18 2011 10:14 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan stops the computer from functioning normally in order to obtain a ransom for restoring the system to its initial condition. It is a Windows application (PE EXE file). It is 73 216 bytes in size. It is written in C++.

Installation

Once launched, the Trojan copies its body to the file:

%ALLUSERSPROFILE%\TempDir\mspro32.scr

Scripts are also created for the command interpreter:

%ALLUSERSPROFILE%\TempDir\rdb.bat (96 bytes)
%ALLUSERSPROFILE%\TempDir\start.bat (71 bytes)

The scripts contain the following strings, in corresponding order:

@echo off
cd %ALLUSERSPROFILE%\TempDir\
echo>"mspro32.scr:Zone.Identifier"

@echo off
cd %ALLUSERSPROFILE%\TempDir\
mspro32.scr

To ensure that the copy created is launched automatically each time the system is rebooted, the following system registry key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"AAPatch" = "%allusersprofile%\TempDir\start.bat"

The Trojan also disables the User Account Control (UAC) by changing the system registry key value:

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

The Trojan then launches the previously created copy for execution and ceases running.

Payload

Once launched, the Trojan carries out the following actions:

It creates the following registry key:

[HKLM\Software\LtuSoftware]
"Prefix" = "8638"

It references the system registry key in a continuous cycle, thus preventing it from being changed:
```
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"
```
In a continuous cycle, it checks in the system for the presence of the Task Manager process "taskmgr.exe". If the process is launched, the Trojan terminates it
In the lower-right corner of the screen, it displays a window with the following content:

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

Terminate the Trojan process. To do so, launch the system command interpreter "cmd.exe" and execute the following command in it:
```
taskkill /f /im mspro32.scr
```

Delete the following files:

%ALLUSERSPROFILE%\TempDir\mspro32.scr
%ALLUSERSPROFILE%\TempDir\rdb.bat 
%ALLUSERSPROFILE%\TempDir\start.bat

Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).

Delete the following system registry keys (see What is a system registry and how do I use it?):

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"AAPatch" = "%allusersprofile%\TempDir\start.bat"

[HKLM\Software\LtuSoftware]
"Prefix" = "8638"

Restore the initial system registry key value (see What is a system registry and how do I use it?):
```
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"
```
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Print

Share

Malicious programs

Trojans

Trojan-Ransom

This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.

The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.

Other versions

Trojan-Ransom.Win32.XBlocker.bcp

Aliases

Trojan-Ransom.Win32.XBlocker.bct (Kaspersky Lab) is also known as:

Trojan: Generic.dx!tle (McAfee)
Mal/EncPk-RP (Sophos)
Trj/Zlob.KH (Panda)
Trojan:Win32/Ransom.AW (MS(OneCare))
Trojan.Winlock.2328 (DrWeb)
Win32/Kryptik.GJY trojan (Nod32)
Trojan.Generic.4637616 (BitDef7)
Trojan.Kryptik.ALGL (VirusBuster)
Win32:Malware-gen (AVAST)
Trojan-Ransom.Win32.XBlocker (Ikarus)
Crypt.ZDK (AVG)
TR/Kryptik.DW (AVIRA)
Packed.Mystic!gen4 (NAV)
W32/Suspicious_Gen2.BWZHZ (Norman)
Trojan.Win32.Generic.52291261 (Rising)
Trojan-Ransom.Win32.XBlocker.bct [AVP] (FSecure)
Trojan.Win32.Generic!BT (Sunbelt)
Trojan.Kryptik!lizdZR/0fi4 (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.