The Latest in IT Security

Trojan.Winlock.5490 extorts money from French users

27
Jan
2012

The Russian anti-virus vendor Doctor Web warns Internet users of the new malignant program that blocks access to Windows. This Trojan horse has been dubbed Trojan.Winlock.5490. The malicious application poses a danger to systems running Microsoft Windows with French locale set as default system language.

Otherwise Trojan.Winlock.5490, written in C, won’t run in a system with a different default language. The Trojan horse incorporates anti-debugging features: when loaded, it checks if its process is launched in VirtualBox, QEmu or VMWare environment. If it is, the Trojan horse process is ended. A significant portion of Windows blockers work in the offline mode. They contain an unlock code in their own resources (plain text or encrypted ), or calculate it based on the number of parameters or do not have such a code at all. Trojan.Winlock.5490 belongs to the last group of extortion programs . It deletes itself automatically in a week after installation. However, after having blocked access to Windows it reports to a remote server and sends information about the infected machine, payment card numbers entered by the victim and receives “OK” as a response.

screen

Once Trojan.Winlock.5490 is in the system, it starts an svchost.exe process with its injected code and orders Windows to hide the Task bar and stops all explorer.exe and taskmgr.exe process threads. Then the Trojan.horse adds its registry entry to be launched automatically and displays a window containing a demand to pay 100 euro with Paysafecard or Ukash card. The message language is French. The the card number entered by the victim is sent to the remote command server and the user is informed that the payment will be processed in 24 hours.

Because this Trojan horse does not use unlock codes, users are advised to scan their computers with Dr.Web LiveCD. You can also try to change the date in BIOS (set a date several months later than the current one) and scan hard drives with Dr.Web CureIt!. You may also delete the Trojan horse autorun entry from the Windows Registry found in Software\Microsoft\Windows\CurrentVersion\Run\.

Leave a reply


Categories

MONDAY, FEBRUARY 06, 2023
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments