Trojan.Ransompage is interesting because it is the first ransom threat that is designed to target three different browser platforms. Not only has the malware author chosen to target the two most popular browsers in Firefox and Internet Explorer, but Opera is also a target. This shows that the malware author wanted to target more than one browser in order to maximize the chances of success in case an infected user decided to change browsers rather than pay the ransom.
To attack Internet Explorer users the Trojan will drop a file called msmedia.dll and install it as a browser helper object (BHO). To target Firefox users the Trojan will install an extension called “informer” that consists of the following files: install.rdf, chrome.manifest, informer.xul, and informer.js. With Opera, the Trojan will drop a file called feeder.js that also acts as an extension and is written in JavaScript. These three different payloads all have the same functionality. They will...
We have already written about threats that can encrypt files or lock victims out of their computers in order to extract a ransom. Today I want to talk about yet another similar threat. It uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims.
Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits. The ad will cover part of the original Web page, as shown below.
The ad will stay on the screen even if the page is scrolled:
