Trojan.Ransom

Posted: April 18, 2011

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	21

First Seen:	January 19, 2011
OS(es) Affected:	Windows

Trojan.Ransom is a broad subtype of Trojan infection that locks up major functions on your PC to hold the computer for ransom. After you spend an arbitrary amount of money on an unlock code, Trojan.Ransom will allow your PC to function normally once more. Some versions of Trojan.Ransom are known for encrypting specific types of documents instead, preventing you from accessing certain file types until you pay for the decryption software. However, giving your money to thieves is completely unnecessary – there are many free anti-malware utilities to undo this damage and delete Trojan.Ransom without you needing to pay even a single cent!

Noticing a Trojan.Ransom Infection

Most forms of Trojan.Ransom are painfully easy to see, since their entire purpose relies on user recognition. If Trojan.Ransom fails to perform Trojan.Ransom's primary functions for one reason or another, Trojan.Ransom may simply remain as a passive background process that can cause your CPU usage to spike heavily at random moments.

However, if Trojan.Ransom does trigger Trojan.Ransom's main harmful functions you'll see some of these signs:

Trojan.Ransom will change your desktop image to a threatening message. One example begins with the following line:
'Semi-sincere apologies! Your files have been encrypted with 256-bit encryption. Unlock price 100$'

Other versions of Trojan.Ransom may create an image that threatens your PC with viruses or police action against supposedly unlawful acts (usually accusations of downloading pornography). You should ignore these threats and suggestions; following any advice given by Trojan.Ransom will only endanger your finances, your computer, and even your identity. In some instances, Trojan.Ransom may take a tactic from the malware playbook and pretend to be a security program like 'Microsoft Security Antivirus' or 'System Security Antivirus.'
Some types of Trojan.Ransom will refuse to let your PC boot into Windows at all. Instead, these kinds of Trojan.Ransom infections will stop you at a blue error screen (the well-known 'Blue Screen of Death'). This error screen will show a message similar to that shown in the desktop as noted above.
Trojan.Ransom may also encrypt various documents to prevent you from accessing them until you've paid the ransom fee. This is most often found in older 2009 variants of Trojan.Ransom. Affected files can include Word documents, Notepad text files, MS Access files, jpg picture files and other common formats. It's important to remember that the encryption process doesn't harm these files - it just prevents you from accessing them, a problem which can be fixed without playing into Trojan.Ransom's hands.
Lastly and most importantly, Trojan.Ransom will disable a variety of applications. Anti-virus and other anti-malware applications are the most probable targets, but Trojan.Ransom may disable virtually everything on your PC in Trojan.Ransom's attempt to get you to pay the ransom.

Freeing Yourself from Trojan.Ransom

Although losing so many functions from your PC may leave you feeling hopeless, you should never pay the ransom to get an unlock code; this will open up your credit card to other fraudulent charges, including identity theft. The current popular variant of Trojan.Ransom can be unlocked for free by using the following codes in succession:

'CO40927445'
'720194320Q'

Other codes are also freely available for obscure versions of Trojan.Ransom infections. Encrypted files and similar problems can have their changes reverted by running an anti-Trojan.Ransom utility. If you can't access the utility or other necessary security programs, switching to Safe Mode will let you start Windows without Trojan.Ransom starting up in many cases.

Removing Trojan.Ransom is a task that should be saved for high-level experts in computer repair or for a good anti-malware application. Trojans like Trojan.Ransom are also able to download other types of malware and may make other malicious changes to your system; because of this, you should be careful to scan your entire PC for any related threats and revert all security changes to re-secure your computer against further attack.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

contacts.exe

File name: contacts.exe
Size: 245.76 KB (245760 bytes)
MD5: dcc4501e3348c4665391ff126d7c2fb1
Detection count: 81
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 10, 2011

info[1].exe

File name: info[1].exe
Size: 132.6 KB (132608 bytes)
MD5: 270b8ce04a9f55809938430a2fe6bb47
Detection count: 54
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 21, 2011

%APPDATA%\7B19.exe

File name: 7B19.exe
Size: 58.75 KB (58756 bytes)
MD5: 843247f84615f30bc9fdbe1e074acc24
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: April 29, 2013

%SystemDrive%\Users\<username>\AppData\Roaming\ldr.mcb

File name: ldr.mcb
Size: 171 KB (171008 bytes)
MD5: f3b519a1b7d8f7111a2a0ba1f5674e38
Detection count: 9
Mime Type: unknown/mcb
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: February 25, 2013

%PROGRAMFILES(x86)%\Google Update\taskmgr.exe

File name: taskmgr.exe
Size: 450.56 KB (450560 bytes)
MD5: de095d328199bb85a6d542a7dceacfae
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %PROGRAMFILES(x86)%\Google Update
Group: Malware file
Last Updated: September 1, 2011

%SystemDrive%\Documents and Settings\customer\Application Data\{12046F67-6E6A-00EB-7447-FF0C3D6FBD2E}.exe

File name: {12046F67-6E6A-00EB-7447-FF0C3D6FBD2E}.exe
Size: 396.28 KB (396288 bytes)
MD5: 322bc1ddf691b8a9f7815ac1f4b9e9b7
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Documents and Settings\customer\Application Data
Group: Malware file
Last Updated: April 16, 2013