Home / malwarePDF  

Trojan:Win32/Tobfy!mp3


First posted on 03 January 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Tobfy!mp3 is also known as Trojan.Win32.Tobfy (Ikarus).

Explanation :



Installation

Trojan:Win32/Tobfy!mp3 is a component file that is contained in certain variants of the Trojan:Win32/Tobfy family of ransomware trojans, such as Trojan:Win32/Tobfy.L and Trojan:Win32/Tobfy.G.

When those trojans are run or installed on your computer, they will also drop an audio (MP3) file, detected as Trojan:Win32/Tobfy!mp3. The trojans then set the audio file to be played on a continuous loop.



Payload

Repeatedly issues an audio warning

Trojan:Win32/Tobfy!mp3 plays an audio message over your computer's speakers. The message plays repeatedly and cannot be stopped. The message states:

"FBI warning. Your computer is blocked for violation of federal law."

The message is used in conjunction with a page that covers all other windows, rendering your computer unusable. The page contains a fake warning pretending to be from a legitimate institution which demands the payment of a fine, and may be detected as Trojan:HTML/Ransom.D.

Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.

In the wild, we have observed variants of the Trojan:Win32/Tobfy family connecting to the following hosts to confirm your payment information:

  • hxxp://109.72.156.30/<removed>/lic.php
  • hxxp://193.150.0.188/<removed>/lic.php
  • hxxp://213.179.207.160/<removed>/lic.php
  • hxxp://213.179.207.160/<removed>/lic.php
  • hxxp://37.230.116.119/<removed>/lic.php
  • hxxp://5.187.1.191/<removed>/lic.php
  • hxxp://64.31.17.209/<removed>/lic.php
  • hxxp://83.69.236.132/<removed>/lic.php
  • hxxp://93.190.44.239/<removed>/lic.php
  • hxxp://market-place2011.com/<removed>/lic.php
Additional information

We have observed Trojan:Win32/Tobfy!mp3 using a variety of legitimate payment and financial transfer services, including the following:

  • Green Dot MoneyPak
  • Paysafecard
  • Ukash
  • Ultimate Game Card


Note: These providers are not affiliated with Trojan:Win32/Tobfy!mp3.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

  • What to do if you are a victim of fraud
Related encyclopedia entries

Trojan:HTML/Ransom.D

Trojan:Win32/Tobfy

Trojan:Win32/Tobfy.L

Trojan:Win32/Tobfy.G



Analysis by Rodel Finones

Last update 03 January 2013

 

TOP

Malware :