1
Update: Trojan Ransomlock is back with another variant on Tue Nov 29, 2011 7:29 am
DragonMaster Jay
Site Owner
Trojan named Ransomlock, or named by Cheetah-Fast: Trj.RNSMLCK.M, is now back with another variant.
Ransomlock is described as a Trojan responsible for locking down the Windows NT Desktop, making it unaccessible, unless the user has a password to unlock it. The password is usually available if the user either pays money, or sends a text to a certain number.
Example of text message instructions in Russian-translated English:
The randomly generated code is used with a backserver, which allows the code to be polymorphic, making it difficult for antivirus vendors to help remove the threat through "rescue-disc" or other recovery solutions.
However, it is best to NOT send the text to that number. It is best to actually remove the threat using an external operating system or slaving the infected hard drive.
This threat is commonly distributed through email. The subject line of the bogus email message is written in Portuguese and reads: ‘Novo video nao divulgado por ter imagens fortes…
It is commonly named the following:
Trojan.Ransomlock [PCTools]
Trojan.Ransomlock!gen4 [Symantec]
Trojan.Win32.Jorik.MokesLoader.ag [Kaspersky Lab]
Generic Downloader.ix [McAfee]
Troj/Bredo-LG [Sophos]
TrojanDownloader:Win32/Dofoil.L [Microsoft]
Trojan.Win32.Jorik [Ikarus]
When tested recently, it displayed the following characteristics:
Created file: %AppData%\csrss.exe with MD5: A72EDBA4555EFF11E388488B1C92C8C5
Created Registry value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Intel = "%AppData%\csrss.exe"
It established connection on port 80 at the following IP address: 74.125.47.99, which shares protocols with Google.com. The IP address is owned by Google, Inc.
You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats.
Ransomlock is described as a Trojan responsible for locking down the Windows NT Desktop, making it unaccessible, unless the user has a password to unlock it. The password is usually available if the user either pays money, or sends a text to a certain number.
Example of text message instructions in Russian-translated English:
To unlock you need to send an SMS with the text 4113558385 to the number 3649
Enter the resulting code:
Any attempt to reinstall the system may lead to loss of important information and computer damage
The randomly generated code is used with a backserver, which allows the code to be polymorphic, making it difficult for antivirus vendors to help remove the threat through "rescue-disc" or other recovery solutions.
However, it is best to NOT send the text to that number. It is best to actually remove the threat using an external operating system or slaving the infected hard drive.
This threat is commonly distributed through email. The subject line of the bogus email message is written in Portuguese and reads: ‘Novo video nao divulgado por ter imagens fortes…
It is commonly named the following:
Trojan.Ransomlock [PCTools]
Trojan.Ransomlock!gen4 [Symantec]
Trojan.Win32.Jorik.MokesLoader.ag [Kaspersky Lab]
Generic Downloader.ix [McAfee]
Troj/Bredo-LG [Sophos]
TrojanDownloader:Win32/Dofoil.L [Microsoft]
Trojan.Win32.Jorik [Ikarus]
When tested recently, it displayed the following characteristics:
Created file: %AppData%\csrss.exe with MD5: A72EDBA4555EFF11E388488B1C92C8C5
Created Registry value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Intel = "%AppData%\csrss.exe"
It established connection on port 80 at the following IP address: 74.125.47.99, which shares protocols with Google.com. The IP address is owned by Google, Inc.
You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats.
..........................................................
DragonMaster Jay
Owner/Administrator/Operator Cheetah-Fast Services
Advanced Malware Analysts Group Owner
Kaspersky Anti-Virus 2012: Click Here 
Mon Feb 13, 2012 3:08 pm by 
