Trojan.Ransomlock.P

Trojan.Ransomlock.P Description

Trojan.Ransomlock.P is a ransom Trojan that locks the desktop of the affected computer by making the PC unusable. Trojan.Ransomlock.P then asks the PC user to pay a ransom of 100 Euro to unlock the computer. Once executed, Trojan.Ransomlock.P creates several malicious files.

Next, Trojan.Ransomlock.P modifies the registry by creating the certain registry entry so that it can run automatically whenever Windows starts. Next, Trojan.Ransomlock.P also creates and modifies several registry entries in order to disable Registry Editor, Windows Task Manager, and System Configuration. Then, Trojan.Ransomlock.P contacts the certain domain [http://]ogutors-free.com/[REMOVED] and downloads a HTML page that includes ransom information. The page illustrates details about the ransom and suggests a way for the PC user to enter an unlock code that can be received after paying the ransom by making an online transaction via Paysafecard or Ukash.

Aliases

Trj/Dtcontx.D [Panda]W32/Injector.ZVR!tr [Fortinet]Win32/LockScreen.AKU [ESET-NOD32]Trojan.Ransomlock.F!rem [PCTools]Artemis!AAC73468E7E5 [McAfee-GW-Edition]Heur.Suspicious [Comodo]Mal/EncPk-AGD [Sophos]UDS:DangerousObject.Multi.Generic [Kaspersky]TROJ_GEN.R47H1DM [TrendMicro-HouseCall]Suspicious_Gen4.DQHSR [Norman]

More aliases (12)

Trojan.Ransomlock.P Automatic Detection Tool (Recommended)

Is your PC infected with Trojan.Ransomlock.P? To safely & quickly detect Trojan.Ransomlock.P, we highly recommend you run the malware scanner listed below.

Download SpyHunter's* Malware Scanner to detect Trojan.Ransomlock.P What happens if Trojan.Ransomlock.P does not let you open SpyHunter or blocks the Internet?

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

#	File Name	Detection Count
1	decrypted_file.exe	461
2	file.exe	73
3	Rechnung.exe	66
4	%USERPROFILE%\ rundll32.exe	16
5	%UserProfile%\Application Data\[10 RANDOM CHARACTERS]\[20 HEXADECIMAL NUMBERS].exe	N/A
6	%Temp%\[10 RANDOM CHARACTERS].pre	N/A
7	%Temp%\[10 RANDOM CHARACTERS].pre	N/A
8	%System%\[20 HEXADECIMAL NUMBERS].exe	N/A

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.

The following newly produced Registry Values are:
HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegedit" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\[10 RANDOM CHARACTERS]\[20 HEXADECIMAL NUMBERS].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\"Debugger" = "P9KDMF.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\"Debugger" = "P9KDMF.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\"Debugger" = "P9KDMF.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegedit" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"

Additional Information

The following messages's were detected:

#	Message
1	'Welcome to Windows Update You have been infected with a Windows Verschlusselungs Trojans. For security reasons your Windows system was blocked. Your visit to pages with pornographic content has led to the ransom Trojan infection. This virus encrypts your hard drive with a 256 bit AES Key and a standardized self-ended decryption is not feasible.'
2	'Willkommen bei Windows Update Sie haben sich mit einem Windows-Verschlusselungs Trojaner infiziert. Aus Sicherheitsgrunden wurde lhr Windows system blockiert. Das Besuchen von Seiten mit pornografischen und infizierten Inhalten hat dazu gefuhrt, das lhr System von einem Computerverschlusselungstrojaner befallen wurde. Dieses Virus verschlusselt Ihre Festplatte mit einem 256 Bit AES Shlussel und eine selbststandige Entschlusselung ist nicht mehr machbar.'

Message

'Welcome to Windows Update You have been infected with a Windows Verschlusselungs Trojans. For security reasons your Windows system was blocked. Your visit to pages with pornographic content has led to the ransom Trojan infection. This virus encrypts your hard drive with a 256 bit AES Key and a standardized self-ended decryption is not feasible.'

'Willkommen bei Windows Update Sie haben sich mit einem Windows-Verschlusselungs Trojaner infiziert. Aus Sicherheitsgrunden wurde lhr Windows system blockiert. Das Besuchen von Seiten mit pornografischen und infizierten Inhalten hat dazu gefuhrt, das lhr System von einem Computerverschlusselungstrojaner befallen wurde. Dieses Virus verschlusselt Ihre Festplatte mit einem 256 Bit AES Shlussel und eine selbststandige Entschlusselung ist nicht mehr machbar.'

Posted: May 23, 2012 | By SpywareRemove