Home / malware Trojan:Win32/Ransom.FL
First posted on 29 February 2012.
Source: MicrosoftAliases :
Trojan:Win32/Ransom.FL is also known as W32/Ransom.UK (Norman), Trojan.Winlock.4367 (Dr.Web), Win32/LockScreen.AJA trojan (ESET), Trojan-Ransom.Win32.Blocker (Ikarus), Trojan-Ransom.Win32.Blocker.bly (Kaspersky), Generic FakeAlert.fz (McAfee).
Explanation :
Trojan:Win32/Ransom.FL is a ransomware that targets people in several countries, including Germany and France. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.
Top
Trojan:Win32/Ransom.FL is a ransomware that targets people in several countries, including Germany and France. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.
Installation
Trojan:Win32/Ransom.FL copies the legitimate file "<system folder>\explorer.exe" to "<system folder>\twexx32.dll".
It then replaces the following files with a copy of itself:
- <system folder>\explorer.exe
- <system folder>\dllcache\explorer.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Prevents the user from accessing the desktop
Trojan:Win32/Ransom.FL displays a full-screen image that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution such as the German "Bundespolizei" or the French "Gendarmerie Nationale". It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.
The images may appear as the following:
The text roughly translates to:
An unlawful activity has been found! Warning!!! The operating system was locked for infringement against the laws of the Federal Republic of Germany! Your IP Address is <removed>. From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities.
The text roughly translates to:
Warning! Your computer was blocked due to violations of the laws of France. The following crimes have been found:
- The distribution, editing or recording of pornographic material that involves underage persons.
- Spam
- Software usage that violates copyright laws
- Multimedia file sharing that violates copyright laws
Users should note that these images are part of scare tactics used by the malware to force the user to pay. However, paying does not unlock the computer or remove this threat. Therefore if you are affected by this threat, it is recommended that you do not perform payment.
Trojan:Win32/Ransom.FL queries a legitimate IP address geolocation service to determine the country and the ISP from which the infected computer is connecting to the Internet.
Connects to remote servers
Trojan:Win32/Ransom.FL has been observed to connect to the following IP addresses:
- 91.228.<removed>.157
- 95.57.<removed>.214
Terminates processes
Trojan:Win32/Ransom.FL attempts to terminate the following processes every 100 milliseconds:
- taskmgr.exe
- procexp.exe
Analysis by Horea Coroiu
Last update 29 February 2012
