McAfee > Theat Center > Virus Detail Page

Overview

-- Update January 03, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/01/03/ransomware_trojan/

--

This trojan is a ransomware trojan.  It attempts to scare an infected user into calling a premium-rate phone number to activate a license for supposed security software.

Aliases

• Backdoor.Win32.Delf.ctk (VBA32)

• BDS/Delf.ctk (Avira)

• Trojan.Win32.Ransom.a (Kaspersky)

• W32/Delf.CTK!tr.bdr (Fortinet)

Characteristics

-- Update January 03, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/01/03/ransomware_trojan/

--

With current DATs, proactive identification may occur as New Malware.j, when scanning with heuristics scanning is enabled.

When executed, this trojan displays an error message indicating security software that has expired and needs to be updated.

The following is displayed over the full screen, if it is not allowed to access the internet:

If it is able to connect to the internet, the following text and image are shown.

ERROR : Browser Security and Antiadware Software component license exprited!

Surfing PORN, ADULT and some other kind of sites you like without this software is dangerows and threatens with infection of your computer by harmful viruses, adware, spyware, etc...You strongly need to update your software to avoid infection and losting information from your computer. Please complete procedure of software update;

If the "activate new license" button is clicked, it will send the infected user to another website with a list of premium phone numbers for their particular area.

These windows can be stopped by ending the trojan process.

This trojan does not copy itself locally, or create any registry entries to restart itself.  Once a machine is restarted, the trojan will not begin again without manual intervention.

It creates the following registry entry as a marker:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\backdoor check

Symptoms

The presence of the error messages and registry entry indicated previously

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update January 03, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/01/03/ransomware_trojan/

--

This trojan is a ransomware trojan.  It attempts to scare an infected user into calling a premium-rate phone number to activate a license for supposed security software.

Aliases

• Backdoor.Win32.Delf.ctk (VBA32)

• BDS/Delf.ctk (Avira)

• Trojan.Win32.Ransom.a (Kaspersky)

• W32/Delf.CTK!tr.bdr (Fortinet)

Characteristics

Characteristics -

-- Update January 03, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/01/03/ransomware_trojan/

--

With current DATs, proactive identification may occur as New Malware.j, when scanning with heuristics scanning is enabled.

When executed, this trojan displays an error message indicating security software that has expired and needs to be updated.

The following is displayed over the full screen, if it is not allowed to access the internet:

If it is able to connect to the internet, the following text and image are shown.

ERROR : Browser Security and Antiadware Software component license exprited!

Surfing PORN, ADULT and some other kind of sites you like without this software is dangerows and threatens with infection of your computer by harmful viruses, adware, spyware, etc...You strongly need to update your software to avoid infection and losting information from your computer. Please complete procedure of software update;

If the "activate new license" button is clicked, it will send the infected user to another website with a list of premium phone numbers for their particular area.

These windows can be stopped by ending the trojan process.

This trojan does not copy itself locally, or create any registry entries to restart itself.  Once a machine is restarted, the trojan will not begin again without manual intervention.

It creates the following registry entry as a marker:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\backdoor check

Symptoms

Symptoms -

The presence of the error messages and registry entry indicated previously

Method of Infection

Method of Infection -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A