What measures can I take against MBR Ransomware (TR/Crypt.XPACK.Gen)?


This Type of Ransom Trojan is dropped by other malware or downloaded from the Internet.

It infects the MBR (Master Boot Record) of the running system. Is the Trojan executed, it overwrites the MBR on the hard drive and before the original MBR will be stored in a second section.

It displays a certain message and informs the user that the system is locked and he has to pay money to unlock it again. During this session the whole boot procedure is interrupt.


Malware behavior

The Trojan comes by other dropped malware or if anybody visit an malicious website by download.

It makes a copy of itself in following folder:
%Userprofile%\Local Settings\Temp\x2z8.exe

Also it drops an clean file in this folder:
%Userprofile%\Local Settings\Temp\fpath.txt

Is the Trojan executed, it overwrites the original MBR and force a restart of the operating system. After that, the following message will appear:



During our investigation, we found out that the "Unlock Code" was hard coded into the infected MBR. The code is static and not random generated. So if you are infected, please use following key for unlocking: 21545455

Currently we detect the Trojan as TR/Crypt.XPACK.Gen and the infected MBR as BOO/Ransom.A


  • Avira Professional Security [Windows]
  • Avira Free Antivirus [Windows]
  • Avira Antivirus Premium 2013 [Windows]
  • Avira Internet Security 2013 [Windows]
  • 已创建 : 2012年4月17日星期二
  • 上次更新 : 2018年5月3日星期四
  • 评价此文章