Trojan-Ransom.Win32.PornoBlocker.amq

Technical Details

This Trojan disables a machine in order to obtain a ransom for re-enabling it. It is a Windows application (PE EXE file). It is 179 200 bytes in size. It is packed using UPX. The unpacked file is approximately 416 KB in size. It is written in Delphi.

Installation

To ensure that its original file is launched automatically each time the system is rebooted, the Trojan creates the following system registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "<complete path to original Trojan file>"

This way the Trojan will be launched by the process "WINLOGON.EXE" even if the computer boots up in safe mode.

Hidden and system attributes are assigned to the original Trojan file.

Payload

Once launched, the Trojan performs the following actions:

• To flag its presence in the system, it creates the following system registry keys:

  [HKLM\Software\Microsoft\Outlook Express]
  "pri" = "200"
  "galo" = "1079837778"
  "num" = "+790***34286"
  

• It stops Task Manager from launching by creating the following registry key:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
  "DisableTaskMgr" = "1"
  

• It deletes the following system registry branches:

  [HKLM\System\CurrentControlSet\Control\SafeBoot]
  "Network"
  "Minimal"
  

  The following branches are created in their place:

  [HKLM\System\CurrentControlSet\Control\SafeBoot]
  "Network_"
  "Minimal_"
  

  They contain embedded branches that have the same names, but have empty default key values. This way the Trojan prevents the system from being booted up in safe mode. BSoD will appear when the user attempts to boot up the computer in safe mode.
• It opens the following site in the default browser:

  http://po***ogay.ru

• It takes a screenshot of the user's desktop with all the windows opened in the system and saves this to the file:

  %WorkDir%\Screen.jpg

• It opens a window over the top of all other windows and covering the entire desktop, displaying the previously created screenshot. Over the top of this window, it creates a window with the message:
  
  The input focus moves into this window every second. Consequently, all user activity except for the input of the unblocking code is blocked on the infected computer.