0
(0)

This type of ransom Trojan is dropped by other malware or downloaded from the internet.
It infects the MBR (Master Boot Record) of the running system. If the Trojan is executed, it overwrites the MBR on the hard drive before the original MBR is stored in a second section.

It displays a certain message and informing you that the system is locked and that you need to pay to unlock it again. During this session, the whole boot procedure is interrupted.

Malware behavior

The Trojan comes by other dropped malware or if anybody visits a malicious website by download.

  • It makes a copy of itself in the following folder:
    %Userprofile%\Local Settings\Temp\x2z8.exe
  • Also, it drops a clean file in this folder:
    %Userprofile%\Local Settings\Temp\fpath.txt

Note
If the Trojan is executed, it overwrites the original MBR and forces a restart of the operating system. After that, the following message will appear:

trojan_mbr_overwritten_restart.png

Solution

During our investigation, we found out that the “Unlock Code” was hard-coded into the infected MBR. The code is static and not randomly generated. So, if you are infected, please use the following key for unlocking: 21545455

We detect the Trojan as TR/Crypt.XPACK.Gen and the infected MBR as BOO/Ransom.A

Source : Official Avira Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 11 times, 1 visits today)