Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2012
    S M T W T F S
    « Mar   May »
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April 12th, 2012




    We encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection to take effect. When the system restarts, the ransomware displays the following message:

    This message prompt informs affected users that the PC is now blocked and that they should pay 920 hryvnia (UAH) via QIWI to a purse number (12 digits) – 380682699268. Once paid,they will receive a code that will unlock the system. This code will supposedly resume operating system to load and remove the infection. This particular variant has the “unlock code” in its body. When the unlock code is used, the MBR routine is removed.

    Trend Micro detects this ransomware as TROJ_RANSOM.AQB and the infected MBR as BOOT_RANSOM.AQB.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice