Content

Ransom-A

Type
Trojan
SubType
Win32
Discovery Date
06/28/2006
Length
Varies
Minimum DAT
4795 (06/28/2006)
Updated DAT
4795 (06/28/2006)
Minimum Engine
5.1.00
Description Added
06/28/2006
Description Modified
01/12/2007 12:49 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Ransom-A is a trojan that searches and hides files of specific types (*.doc, *.xls, *.ppt, *.wps, *.mdb, *.zip, *.rar). To restores these files, the victim is requested to pay a ransom to a designatured bank account for a "restoration key".

Upon execution, Ransom-A launches the Notepad application displaying Chinese message informing the user that data was corrupted due to "magenetic interference" and was unable to continue:

The trojan searches for files containing the following filename extensions and move them to a hidden folder (with a Chinese folder name) in C:\ in an attempt to convince the victim that data were lost due to "magnetic interference":

  • *.doc
  • *.xls
  • *.ppt
  • *.wps
  • *.mdb
  • *.zip
  • *.rar

A shortcut is created in Start->Program Files->Accessories, pointing to an application claiming to be a "Data Recovery" tool.

Executing this "Data Recovery" tool presents the user instructions to transfer approximately US$12 into a designated bank account in exchange for a "registration serial number" that will be sent to the victim via a mobile text message.

Symptoms

  • Disappearance of files matching the mentioned file types.
  • Display of the mentioned "data recovery" messages.
  • Presence of a Chinese "data recovery" shortcut in Start->Program Files->Accessories
  • Presence of the following file(s):
    • %Windir%\System32\Redplus.exe

(Where %Windir%\ is the Windows folder, e.g. C:\Windows)

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Ransom-A is a trojan that searches and hides files of specific types (*.doc, *.xls, *.ppt, *.wps, *.mdb, *.zip, *.rar). To restores these files, the victim is requested to pay a ransom to a designatured bank account for a "restoration key".

Characteristics

Characteristics -

Ransom-A is a trojan that searches and hides files of specific types (*.doc, *.xls, *.ppt, *.wps, *.mdb, *.zip, *.rar). To restores these files, the victim is requested to pay a ransom to a designatured bank account for a "restoration key".

Upon execution, Ransom-A launches the Notepad application displaying Chinese message informing the user that data was corrupted due to "magenetic interference" and was unable to continue:

The trojan searches for files containing the following filename extensions and move them to a hidden folder (with a Chinese folder name) in C:\ in an attempt to convince the victim that data were lost due to "magnetic interference":

  • *.doc
  • *.xls
  • *.ppt
  • *.wps
  • *.mdb
  • *.zip
  • *.rar

A shortcut is created in Start->Program Files->Accessories, pointing to an application claiming to be a "Data Recovery" tool.

Executing this "Data Recovery" tool presents the user instructions to transfer approximately US$12 into a designated bank account in exchange for a "registration serial number" that will be sent to the victim via a mobile text message.

Symptoms

Symptoms -

  • Disappearance of files matching the mentioned file types.
  • Display of the mentioned "data recovery" messages.
  • Presence of a Chinese "data recovery" shortcut in Start->Program Files->Accessories
  • Presence of the following file(s):
    • %Windir%\System32\Redplus.exe

(Where %Windir%\ is the Windows folder, e.g. C:\Windows)

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A