Ransomware Trojan

On Saturday the boys’ PC got a bad virus, specifically a type of malware called Trojan.Ransomware. ‘Ransomware’ refers to the technique of holding a PC hostage until a ransom is paid. In practice it is more subtle than it sounds. In our case the PC boots to the normal Windows 7 login screen. When a user enters their credentials they get a full screen error message:

System process at address OxE4783995 have just crashed,
please follow these steps to deactivate it from your system.
1. Call one of the following numbers:
0088213090413
00261221000186
0037190100546
0088213240069
0025270701161
00263778289408
2. Wait for the answer and write down your deactivation key
3. Enter the deactivation keyreceived by phone, click “Next” to continue

Of course this is a bogus error message, but what is the point of making you call these numbers? Well apparently they are international premium service numbers which attract very high charges. You get a recorded message saying hold the line, during which time  you get charged for the wait. Somehow the scammer benefits financially.

During my googling I discovered many variations but this guy seemed the closest. I also found a solution  but it didn’t work for me. I got into windows recovery mode and tried making the suggested registry edits but the changes made by our trojan were quite different. Also it had not created a new user with a numerical username (eg C:\users\Michael\22997148\22997148.EXE). I found some information about related trojans that make multiple registry changes similar to what I was finding but after a while I decided it was easier to reinstall Windows 7 – I’d only rebuilt this PC a few weeks ago so there was not much software on it yet. Luckily I’d used a system partition and a data partition so I could leave the docs, music etc untouched.

Leave a Reply

Your email address will not be published. Required fields are marked *