Threat Database Trojans Ransom-AAY.gen.b

Ransom-AAY.gen.b

By Domesticus in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 4
First Seen: December 28, 2012
OS(es) Affected: Windows

Ransom-AAY.gen.b is a police ransomware Trojan. Ransom-AAY.gen.b has dozens of variants, all of which carry the same basic scam. Ransom-AAY.gen.b is used to blackmail computer users by making them believe that they must pay a fine because of a supposed offense on their part. Basically, Ransom-AAY.gen.b blocks access to the infected computer and covers the desktop with a full screen message claiming that the victim's computer was blocked by the police.

Ransom-AAY.gen.b variants are highly localized and will often impersonate the police force corresponding to the victim's country. Typically, Trojan droppers associated with Ransom-AAY.gen.b variants will detect the victim's IP address and then install a variant of a Ransom-AAY.gen.b Trojan that corresponds to the victim's geographical location. Once installed, the Ransom-AAY.gen.b Trojan makes certain changes to the Windows Registry that allow Ransom-AAY.gen.b to do the following:

  1. Ransom-AAY.gen.b variants disable the Task Manager in order to prevent computer users from bypassing the full screen ransom message.
  2. Ransom-AAY.gen.b will also lock its full screen window, preventing computer users from moving it or closing it in order to gain access to their Desktop.
  3. Ransom-AAY.gen.b will also disable the Task Bar and Start Menu and other essential Windows components.

Since Ransom-AAY.gen.b changes the Windows Registry to ensure that Ransom-AAY.gen.b loads automatically whenever the victim starts up the infected operating system, Ransom-AAY.gen.b effectively prevents the computer user from using their own computer.

The Ransom-AAY.gen.b ransom note requests the payment of a penalty in order to regain control of the infected computer. However, ransomware Trojans in the Ransom-AAY.gen.b family will not be disabled by paying their 'fine.' Because of this, ESG security researchers strongly recommend against following the instructions in the ransom message, even if you are in a hurry to regain control of your computer. One of the aspects that make Ransom-AAY.gen.b unique in relation to other ransomware families is that Ransom-AAY.gen.b uses a web browser Window to display its malicious message. This window is modified to fill up the whole screen and prevent the victim from accessing any content on their computer. Although the default versions of Ransom-AAY.gen.b use Internet Explorer by implementing a malicious DLL file, ESG security researchers have observed variants that use other web browsers already installed on the victim's computer (such as Chrome or Firefox).

Aliases

14 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Panda Trj/OCJ.A
Fortinet W32/Kryptik.ALTS!tr
Ikarus Trojan-Ransom.Win32.Foreign
AhnLab-V3 Dropper/Win32.Injector
Sophos Troj/Swisyn-AW
McAfee-GW-Edition GenericTRA-BJ!52B9B8BC9042
AntiVir TR/Graftor.44588
Comodo UnclassifiedMalware
BitDefender Gen:Variant.Graftor.44588
Kaspersky Trojan-Dropper.Win32.Injector.fvyp
Avast Win32:Dropper-gen [Drp]
Symantec Trojan.Gen.2
K7AntiVirus Trojan
McAfee Ransom-AAY.gen.b

SpyHunter Detects & Remove Ransom-AAY.gen.b

File System Details

Ransom-AAY.gen.b may create the following file(s):
# File Name MD5 Detections
1. notepad.dll 52b9b8bc9042bee1ff7ddf3b81f59570 4
2. [startup folder]\[RANDOM FILENAME].dll
3. Lock.dll
4. [STARTUP FOLFER]\runctf.lnk
5. %ALLUSERSPROFILE%\Application Data\[RANDOM FILENAME].[dll]
6. [startup folder]\[RANDOM FILENAME].dll.lnk
7. [RANDOM FILENAME].dll.lnk
8. ca345ca28cacd612f7010f60707c4270.DLL ca345ca28cacd612f7010f60707c4270 0
9. http_revt_20121120-10-20 96578f08ae75e5d87eac002c116569e2 0
10. 42da9279b305806ea9ea79880ada9166 42da9279b305806ea9ea79880ada9166 0

Registry Details

Ransom-AAY.gen.b may create the following registry entry or registry entries:
HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Toolbar "Locked" = "1"
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 "1609" = "0"
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones "1609" = "0"
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 "1609"= "0"
HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Main "NoProtectedModeBanner" = "1"
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 "1609" = "0"
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 "1609" = "0"

Trending

Most Viewed

Loading...