Threat Database Trojans Trojan.Winlock.7372

Trojan.Winlock.7372

By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 10
First Seen: November 29, 2012
Last Seen: January 28, 2023
OS(es) Affected: Windows

Trojan.Winlock.7372 Image

The Trojan.Winlock.7372 Trojan is a Winlocker and ransomware that targets computers located in the United States. Malware analysts have emitted a security alert concerning this dangerous Winlocker. Trojan.Winlock.7372 is a variant of ransomware that were widespread in the Russian Federation only a short time ago. This ransomware differs from other common police ransomware Trojans in that its files containing malicious ransom messages and images are not contained in the infection or downloaded onto the targeted computer. Rather, the Trojan.Winlock.7372 Trojan connects to a remote server and displays a web page from this server as its ransom message, allowing criminals to tweak this message quickly and effectively. Trojan.Winlock.7372 targets computers located outside of the Russian Federation and specifically attacks computers with an IP located in the United States of America.

Ransomware has been around in some form or another since 2005, mostly restricted to the Russian Federation and Eastern Europe. In 2011, ransomware similar to Trojan.Winlock.7372 started infecting computers in Western Europe. In 2012, the first variants targeting computers in the United States of America and Canada started to appear. Trojan.Winlock.7372 is one of these variants. However, its structure is different from other kinds of ransomware. This is because by connecting to a malicious server Trojan.Winlock.7372 downloads its data from the Internet and uses a regular web page as its block message.

When Trojan.Winlock.7372 is installed, Trojan.Winlock.7372 makes changes to the Windows Registry that allows Trojan.Winlock.7372 to start up automatically and stop all other programs and file processes. The Trojan.Winlock.7372 Trojan can stop most Windows services and common applications, effectively blocking access to the infected computer. Trojan.Winlock.7372 is also designed to disable the infected computer's firewall. Finally, Trojan.Winlock.7372 displays a full screen window containing its ransom note, a website with a fake message from the police. This message demands the payment of a two hundred dollar ransom via MoneyPak, an online payment service for computer users in North America. It is important to note that paying this ransom will do nothing to remove Trojan.Winlock.7372 from your computer. Instead, Trojan.Winlock.7372 should be annihilated using a strong, fully-updated anti-malware application.

File System Details

Trojan.Winlock.7372 may create the following file(s):
# File Name Detections
1. %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\picture[1].php
2. %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\getunlock[1].php

Registry Details

Trojan.Winlock.7372 may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 'EnableFirewall' = '00000000'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 'Microsoft Updater' = '"Full path to virus"'

Trending

Most Viewed

Loading...