May 19, 2010

Windows “activation” ransomware

by Tom Kelchner
with manual repair by The Computer Doctor

Trojan-Ransom.Win32.Winac.A

Our analyst Adam Thomas found this: a piece of ransomware that locks up Windows until you enter your credit card data.

First it claims you are running a pirated version of Windows and they need your billing details. “…but your credit card will NOT be charged.”

And of course that’s true.


Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate:



Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, you machine reboots.

If you go through the process of entering your data (including your credit card number), then your system will work again.



Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it.



VIPRE detects it as Trojan-Ransom.Win32.Winac.A


The Manual Removal Instructions:

Kill processes: corpstats.exe, data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe

Delete registry values: HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\RunOnceEx\cleanup

Delete files: corpstats.exe, data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe, dat1.bat

Exact file location: corpstats.exe - C:\Windows\System\oobe\Setup, C:\Windows\System32\oobe\Setup or C:\Winnt\System32\oobe\Setup
data2.exe, data3.exe, data4.exe, svchost.exe, winstart.exe, 002.exe, 004.exe, 006.exe, 007.exe, 008.exe, 009.exe, dat1.bat - C:\Windows or C:\Winnt


Reblog this post [with Zemanta]

1 comment:

TheComputerDoctor said...

I was asked by one of my readers "how can I do the manual removal if my computer is already being ransomed?"

1. you could use your credit card to get past the ransom, report your card as stolen or compromised and then use the manual removal instructions

2. or better yet, you could boot into your computer with a linux live cd and then mount your hard drive and delete the files in the manual removal instructions then boot into your pc normally and go through the removal instructions one more time.

Hope this helps.

Hex Converter

Hex To ASCII Converter

Hex:
Ascii:

 

Integer to Byte converter


This is a tool to practice converting between decimal and binary representations. After you have practiced for a while and feel that you know how to do the conversions, take the quiz.
Decimal number to convert:
Binary representation:


Binary number to convert:
Decimal representation: