What measures can I take against MBR Ransomware (TR/Crypt.XPACK.Gen)?


This Type of Ransom Trojan is dropped by other malware or downloaded from the Internet.

It infects the MBR (Master Boot Record) of the running system. Is the Trojan executed, it overwrites the MBR on the hard drive and before the original MBR will be stored in a second section.

It displays a certain message and informs the user that the system is locked and he has to pay money to unlock it again. During this session the whole boot procedure is interrupt.


Malware behavior

The Trojan comes by other dropped malware or if anybody visit an malicious website by download.

It makes a copy of itself in following folder:
%Userprofile%\Local Settings\Temp\x2z8.exe

Also it drops an clean file in this folder:
%Userprofile%\Local Settings\Temp\fpath.txt

Is the Trojan executed, it overwrites the original MBR and force a restart of the operating system. After that, the following message will appear:



During our investigation, we found out that the "Unlock Code" was hard coded into the infected MBR. The code is static and not random generated. So if you are infected, please use following key for unlocking: 21545455

Currently we detect the Trojan as TR/Crypt.XPACK.Gen and the infected MBR as BOO/Ransom.A


  • Avira Professional Security [Windows]
  • Avira Free Antivirus [Windows]
  • Avira Antivirus Premium 2013 [Windows]
  • Avira Internet Security 2013 [Windows]
  • 作成日 : 2012年4月17日火曜日
  • 最終更新日時 : 2018年5月3日木曜日
  • この記事を評価