Home / malware Trojan:Win32/Tobfy!mp3
First posted on 03 January 2013.
Source: MicrosoftAliases :
Trojan:Win32/Tobfy!mp3 is also known as Trojan.Win32.Tobfy (Ikarus).
Explanation :
Installation
Trojan:Win32/Tobfy!mp3 is a component file that is contained in certain variants of the Trojan:Win32/Tobfy family of ransomware trojans, such as Trojan:Win32/Tobfy.L and Trojan:Win32/Tobfy.G.
When those trojans are run or installed on your computer, they will also drop an audio (MP3) file, detected as Trojan:Win32/Tobfy!mp3. The trojans then set the audio file to be played on a continuous loop.
Payload
Repeatedly issues an audio warning
Trojan:Win32/Tobfy!mp3 plays an audio message over your computer's speakers. The message plays repeatedly and cannot be stopped. The message states:
"FBI warning. Your computer is blocked for violation of federal law."
The message is used in conjunction with a page that covers all other windows, rendering your computer unusable. The page contains a fake warning pretending to be from a legitimate institution which demands the payment of a fine, and may be detected as Trojan:HTML/Ransom.D.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
In the wild, we have observed variants of the Trojan:Win32/Tobfy family connecting to the following hosts to confirm your payment information:
Additional information
- hxxp://109.72.156.30/<removed>/lic.php
- hxxp://193.150.0.188/<removed>/lic.php
- hxxp://213.179.207.160/<removed>/lic.php
- hxxp://213.179.207.160/<removed>/lic.php
- hxxp://37.230.116.119/<removed>/lic.php
- hxxp://5.187.1.191/<removed>/lic.php
- hxxp://64.31.17.209/<removed>/lic.php
- hxxp://83.69.236.132/<removed>/lic.php
- hxxp://93.190.44.239/<removed>/lic.php
- hxxp://market-place2011.com/<removed>/lic.php
We have observed Trojan:Win32/Tobfy!mp3 using a variety of legitimate payment and financial transfer services, including the following:
- Green Dot MoneyPak
- Paysafecard
- Ukash
- Ultimate Game Card
Note: These providers are not affiliated with Trojan:Win32/Tobfy!mp3.
If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
Related encyclopedia entries
- What to do if you are a victim of fraud
Trojan:HTML/Ransom.D
Trojan:Win32/Tobfy
Trojan:Win32/Tobfy.L
Trojan:Win32/Tobfy.G
Analysis by Rodel Finones
Last update 03 January 2013