Another ransom trojan type is born

If we read this article, we already know what are the ransom trojans: they locks your computer until you pay some money, the ransom, generally using a SMS service. But an “inventive” guy has thought at another ransom type: to complete an offer using a custom referral link — it is the “advertising trojan”. He created a malware program with all the features of a ransom trojan, it’s a trojan builder where somebody can set to disable the victim’s Task Manager, to hide the Task Bar or to run at startup.

another ransom trojan

another ransom trojan

 

After infecting a computer, a window covering all screen containing kind of web browser and a message is shown:

offer window

offer window

 

To resume, the result of the building process is a computer trojan that takes over your PC until you introduce the code you have received after the offer completion. Simply it renders the computer unusable, forcing the users to complete offers against their willing. The trojan is named “Infinity Desktop Gateway” and its author offers for downloading the builder in several legit forums.

From the trojan author topic:

What is it?
You have your content locking gateways to lock websites as im sure you know. Well, this enables you to lock user’s computers. They open the program and it locks their computer and forces them to complete an offer to get their computer back.

Options -
Disable task manager – if they try to start the task manager(to end the process) it doesn’t work
Hide Taskbar – the “start bar” / taskbar, where the start icon is, and the time is, this option hide’s that.
Run on start (filename) – runs on the startup of the user’s computer
Delayes execution (0 for immediately) you can delay the execution of the program in seconds, so if you put ’10′ in the box, it will delay the execution of the program for 10 seconds.

What do you need to do to run / use the program?
a url to a gateway you have hosted somewhere ex: http://mysite.com/gateway.html

a way to get ‘installs’ aka get the program run on user’s computers.

Why is this program for free?
Because my gateway will show up on the computer 1/4th (25%) of the time.

This malware is written in Visual Basic 6 and it is not yet encrypted because it has a signature with a low detection rate ( 4 /43 (9.3%)) on virustotal.com. The result is for trojan builder, the trojan itself  has an even lower detection rate: 3 /42 (7.1%) see result page.

Let’s see randomly a few trojan properties:

  • The builder is 56 KB in size, MD5: 1A50B2E42E14C025EF3EABDFF98EACAE;
  • The trojan is 32 KB in size;
  • Once started its window is “foreground most” making impossible to use any other program for example to kill the process;
  • Ctrl+Alt+Delete combination keys can not be used to fire up the Task Manager;
  • By adding a copy of itself with a custom choosen name in startup folder(C:\Documents and Settings\%username%\Start Menu\Programs\Startup for Windows XP or C:\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup for Windows 7) it is able to auto start up.
  • The trojan do its job by looking for and destroying the Task Bar and Task Manager windows. Some native API are used: “SetWindowLongA”, “FindWindowA”, “SetWindowPos”, “GetWindowLongA”
  • The “offer gateway” of the trojan creator is http://theabcofphoto.com/G/zjq.html

Though in this early stage of development this random trojan seems to be more a kid creation, it can create a lot of troubles for the not tech savvy users and if its development go further, it will become a more serious problem. The idea behind it is interesting because more likely a lot of users are tempted to quickly complete an offer to regain access to the computer.

But how to get rid of this random trojan? Well, funny enough, when I was thinking at a method to regain access to the Task Manager to kill the trojan process, my kid 10 years old found the solution: he simply used Alt+F4 keys combination and killed the malicious process instantly. Regaining access to the desktop I was able to delete the trojan file copy from the Startup folder and after a reboot all reverted to normal, that’s all about removing this ransom trojan variant.

Edit: According to Microsoft Malware Protection Center, this malware has now a name:

Constructor:Win32/AdsLock.A  for trojan builder and

Trojan:Win32/AdsLock.A  for the trojan itself

Keep safe !

Posted in Thoughts.

One Response

Leave a Reply