Analysis by: Roland Marco Dela Paz
ALIASES:

Trojan:Win32/Ransom.EJ (Microsoft); Win32/LockScreen.AIG (NOD32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan locks the desktop of the affected machine and demands the user to pay a fine in order to unlock the desktop.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Initial Samples Received Date: 23 Feb 2012

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Application Data%\Mozilla\Firefox\firefox.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ffdwnd = %Application Data%\Mozilla\Firefox\firefox.exe

Other Details

This Trojan connects to the following website to send and receive information:

  • {BLOCKED}letsicks.com
  • {BLOCKED}iacughele.info

NOTES:

It locks the desktop of the affected machine and demands the user to pay a fine in order to unlock the desktop.