Virus Characteristics
Ransom-AI is a ransom-ware that on execution locks the user's system thereby leaving the system in an unusable state. It also encrypts the files present in the Hard-disk. The user has to pay the attacker to unlock the system and to get the files decrypted.
------------Updated, July 03, 2012 -----------
When executed it copies itself into the following location:
- %Appdata%\[random]\[Random_name].exe
- %Windir%\system32\[Random_name].exe
It also adds the following registry value:
-
[HKEY_LOCAL_MACHINESoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\]
- "Userinit" = %Windir%\system32\[Random_name].exe
The above mentioned registry entry ensures, that the Trojan register itself with the compromised system and execute upon every reboot.
Once executed, the file runs silently and the following GUI alert message appears on the screen:
This translates as:
Your computer was blocked for violating the laws of Spain.
Warning! The following violations were detected:
- The fact of video recording or Transferred pornographic content materials involving children, child pornography, sodomy and violence in relation to children. Apart from this, they were intercepted and videos of child pornography violence. Criminal sanctions provided for in Article (Article 227-23) of the Criminal Law of Spain. It involves deprivation of liberty sentences 2 to 5 years.
- Using software in violation of copyright. Sanction provided for by article (article 323-3) of the Criminal Law of Spain. It involves deprivation of liberty from 1 to 3 years.
- Transfer media files violating copyrights. Punishment provided by section of the Penal Law of Spain. It involves deprivation of liberty from 1 to 3 years
To unlock the computer you must pay a fine in accordance with the legislation of Spain, equivalent to 100 euros in the next 3 days. The sanction in the form of fine is only possible in the case of committing this offense for the first time. The fact of committing this offense repeatedly will be a criminal liability. If you do not pay the fine within the time prescribed your computer will be confiscated and this case will be directed to the court.
You can pay the fine for our partner, using Ukash or Paysafecard bonds. Buy Ukash or Paysafecard bonds in the amount of $ 100, complete the form below with the codes and amounts of bonds, and press the button "Pay the Fines". Your computer will be unlocked immediately after verifying the authenticity of the Ukash voucher / Paysafecard, typically within 1-4 hours.Locate the nearest trading post
Order Ukash / Paysafecard: 100 euros
Get Ukash code (19 digits) or Paysafecard Code (16 digits)Where I can buy Ukash voucher / PaysafecardThe Ukash voucher / Paysafecard can be purchased in more than 20 000 trade stands from Spain. You can purchase Ukash in hundreds of thousands of locations around the world, online, at kiosks and ATMs, including newsagents and petrol stations.
-----------------------------------------------------------
Upon execution, this Trojan injects into svchost.exe and copies itself in the following locations:
- %Appdata%\[random]\[Random_name].exe
- %Appdata%\Realtec\Realtecdriver.exe
- %Windir%\system32\[Random_name].exe
The below registry entries ensures that the Trojan adds trigger for those dropped file in registry so that these files will be launched whenever system starts up.
- [HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"Realtecdriver" = "%Appdata%\\Realtec\Realtecdriver.exe"
- [HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"[Random_name]" = "%Appdata%\[Random_name]\[Random_name].exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
"Userinit"= "%Windir%\system32\userinit.exe, %Windir%\system32\[Random_name].exe,"
Further It disables Task manager, Registry tool and Windows System Configuration Utility services by editing registry values.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableTaskMgr" = " 0x00000001"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableRegedit" = " 0x00000001"
- [HKEY_USERS\[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
"DisableRegistryTools"=" 0x00000001"
- [HKEY_USERS\[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
"DisableRegedit" = "0x00000001"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\]
"Debugger" = "P9KDMF.EXE"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\]
"Debugger" = "P9KDMF.EXE"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\]
"Debugger" = "P9KDMF.EXE"
It locks\encrypts all the user file in the system by renaming the file with the prefix ‘locked-‘ and with random suffix ‘.xxxx’ so that user cannot access those files
e.g.Winter.jpg is changed to locked-Winter.jpg.hzbl
Moreover it connects to the following sites
- Q[Removed]a.com/a.php?id=38BA2BE7444E41534F42&cmd=img
- ho[Removed]o.coma.php?id=38BA2BE7444E41534F42&cmd=img
- sp[Removed]w.com GET /a.php?id=38BA2BE7444E41534F42&cmd=img
It launches a plain window to lock the desktop so that user is blocked from using his computer. It demands the user to provide the code as ransom worth 100 Euro and 50 Euro
