Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’

December 19, 2012

A new  “ransomware” campaign uses a novel approach to extort money from Internet users. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the possession of banned material.

The following system changes may indicate the presence of this malware:

<startup folder>\<random file name>.dll.lnk

<startup folder>\<random file name>.dll

Lock.dll

The Trojan  creates the following registry changes:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: “DisableTaskMgr
With data: “1

HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: “NoProtectedModeBanner
With data: “1

HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: “Locked
With data: “1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Sets value: “1609
With data: “0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: “1609
With data: “0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: “1609
With data: “0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: “1609
With data: “0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: “1609
With data: “0

We’ve seen images such as these:

When the ransomware runs, some variants of this malware family copy themselves to your computer.

%ALLUSERSPROFILE%\Application Data\<random filename>.<dll>

Some variants create the following shortcut file in the Windows start-up folder to ensure the Trojan loads every time you log on:

<startup folder>\runctf.lnk

Some variants may also drop a copy of rundll32.exe in the “%USERPROFILE%\application data” directory. This file launches the Trojan.

In some older variants, the Trojan creates a shortcut file of this type:

<random file name>.dll.lnk“.

As part of its payload, this Trojan displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image is a fake warning pretending to be from a legitimate institution that demands the payment of a fine. Paying the “fine” will not necessarily return your computer to a usable state, so we don’t advise you do so.

This Trojan can download and run customized DLL payloads:

  • Lock.dll, which the Trojan injects into browser process of Internet Explorer, Chrome, and Opera to display the fraudulent message:

This Trojan uses a variety of legitimate payment and financial transfer services, including:

McAfee products detect these malware binaries as Ransom-AAY.gen.b.