English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Ransom.Win32.FakeInstaller.amdi

Detected Feb 22 2011 15:44 GMT
Released Feb 22 2011 22:03 GMT
Published Apr 26 2011 11:27 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive, which users believe contains a file that they need. It is a Windows application (PE EXE file). It is 1 114 654 bytes in size. It is written in Delphi.


Payload

As a rule, the malware is downloaded by the user from the Internet in the guise of a self-extracting archive containing the file that the user needs. Once launched, the malware displays a window with the following content:

After the "Unpack" button is pressed, the malware imitates the process of extracting the file. At a certain stage, this process stops and the user is prompted to enter a code to continue extracting. To obtain the code, it is necessary to select a country and send an SMS to the short number specified:

The links

Rules
For complaints
Rates
point to the following resources, respectively:

http://zip***z.ru/rules/
http://he***pfilez.ru/
http://www.a1ag***tor.ru/main/abonent

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 0A190F61447793EF64A0F04A03627F47

SHA1: 26B272D056E4915B07101444632CC1920C332B7B


Bookmark and Share
Share
Trojan-Ransom

This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage" (blocked or encrypted), the user will receive a ransom demand.

The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.


Other versions

Aliases

Trojan-Ransom.Win32.FakeInstaller.amdi (Kaspersky Lab) is also known as:

  • Program:Win32/Pameseg.B (MS(OneCare))
  • Gen:Variant.Adware.SMSHoax.5 (BitDef7)
  • Trojan.FakeInstaller!N5dYnrcyzlU (VirusBuster)
  • Trojan-Ransom.Win32.FakeInstaller (Ikarus)
  • Generic27.BLHV (AVG)
  • W32/ArchSMS.AQK (Norman)
  • Trojan.Win32.Generic!BT (Sunbelt)
  • Trojan.FakeInstaller!N5dYnrcyzlU (VirusBusterBeta)
  • W32/FakeInstaller.AMDI!tr (Fortinet)