Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Ransom.bxra
Date discovered:21/11/2011
Type:Trojan
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
Static file:No
VDF version:7.11.17.243 - Monday, November 21, 2011
IVDF version:7.11.17.243 - Monday, November 21, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Ransom.Win32.PornoAsset.bxr
   •  Sophos: Mal/Generic-L
   •  Bitdefender: Trojan.Generic.KDV.421217
   •  Eset: Win32/Kryptik.VSY
   •  DrWeb: Trojan.Winlock.3300


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops a file
   • Registry modification


Right after execution the following information is displayed:

The picture has been edited for display purpose.

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\%random%.exe
   • %SYSDIR%\taskmgr.exe
   • %SYSDIR%\userinit.exe
   • %SYSDIR%\dllcache\taskmgr.exe
   • %SYSDIR%\dllcache\userinit.exe



The following file is created:

– Non malicious file:
   • %SYSDIR%\%random%.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="%ALLUSERSPROFILE%\Application Data\%random%.exe"

 Process termination The following process is terminated:
   • %WINDIR%\explorer.exe


 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Chiaho Heng on Wednesday, November 23, 2011
Description updated by Chiaho Heng on Wednesday, November 23, 2011

Back . . . .