Windows “activation” ransomware

by Tom Kelchner
with manual repair by The Computer Doctor

Trojan-Ransom.Win32.Winac.A

Our analyst Adam Thomas found this: a piece of ransomware that locks up Windows until you enter your credit card data.

First it claims you are running a pirated version of Windows and they need your billing details. “…but your credit card will NOT be charged.”

And of course that’s true.


Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate:



Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, you machine reboots.

If you go through the process of entering your data (including your credit card number), then your system will work again.



Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it.



VIPRE detects it as Trojan-Ransom.Win32.Winac.A


The Manual Removal Instructions:

Kill processes: corpstats.exe, data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe

Delete registry values: HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\RunOnceEx\cleanup

Delete files: corpstats.exe, data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe, dat1.bat

Exact file location: corpstats.exe - C:\Windows\System\oobe\Setup, C:\Windows\System32\oobe\Setup or C:\Winnt\System32\oobe\Setup
data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe, dat1.bat - C:\Windows or C:\Winnt

Related articles

• McAfee Antivirus Detects 'svchost.exe' As Infected With W32/wecorl.a Virus; Causes Computers to Restart Repeatedly (lockergnome.com)
• Ransoming your Windows activation (winextra.com)
• Few answers after McAfee antivirus update hits Intel, others (infoworld.com)