Trojan.Randsom.A

Printer Friendly Page

Discovered: May 01, 2006
Updated: May 01, 2006 5:32:52 PM
Also Known As: Troj/Ransom-A [Sophos]
Systems Affected: Windows

Trojan.Randsom.A is a Trojan horse that locks access to a compromised computer. It then issues a ransom demand to recover any affected files.

Antivirus Protection Dates

  • Initial Rapid Release version May 01, 2006
  • Latest Rapid Release version April 23, 2018 revision 040
  • Initial Daily Certified version May 01, 2006
  • Latest Daily Certified version April 24, 2018 revision 003
  • Initial Weekly Certified release date May 03, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Candid Wueest

Discovered: May 01, 2006
Updated: May 01, 2006 5:32:52 PM
Also Known As: Troj/Ransom-A [Sophos]
Systems Affected: Windows



Trojan.Randsom.A is a Trojan horse that locks access to a compromised computer. It then issues a ransom demand to recover any affected files.

When executed, the Trojan creates the following files in the current directory and in %System%\oobe\setup:

corpstats.exe
winstart.exe
004.exe
005.exe
006.exe
007.exe
008.exe
009.exe
svchost.exe
data3.exe
data2.exe
data4.exe
dat1.bat
wpd.exe
ShutdownUtility.exe

The Trojan then creates copies of these files at the following locations:
%System%\oobe\setup\corpstats.exe
%UserProfile%\Start Menu\Programs\Startup\winstart.exe
%Windir%\004.exe
%Windir%\005.exe
%Windir%\006.exe
%Windir%\007.exe
%Windir%\008.exe
%Windir%\009.exe
%Windir%\svchost.exe
%Windir%\data3.exe
%Windir%\data2.exe
%Windir%\data4.exe
%Windir%\dat1.bat
%System%\wpd.exe
%System%\ShutdownUtility.exe

The Trojan then creates the following registry entries so that it starts every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cleanup" = "%System%\oobe\setup\corpstats.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\"cleanup" = "%System%\oobe\setup\corpstats.exe"

The Trojan may also create harmless temporary files in the following directory:
C:\Documents and Settings\All Users\Application Data\OZ

The Trojan may also create harmless temporary registry values under the following key:
HKEY_CURRENT_USER\SOFTWARE\OZ Development\Applications

The Trojan then displays a dialog box with the following messages:

"Deleted files are going to be saved into a hidden directory and replaced during uninstallation."
"(1) files are being deleted every 30 minutes"

The Trojan then displays the following text in full screen , along with two pornographical pictures:

-----
environment locked
windows locked

listen up muthafucka
is this computer valuable. it better not be.
is this a business computer. it better not be.
do you keep important company records or files on this computer. you'd better hope not.
because there are files scattered all over it tucked away in
invisible hidden folders undetectable by antivirus sofware
the only way to remove them and this message is by a CIDN: number

This X.aip will load everytime you start windows scattering more and more copies of iteslf until your computer is fried to a pulp. until then you may even noteice other programs missing critical files.


How to Remove it

Simple. you must receive a CIDN: number from Western Union

go to Western union, fill out the grey form labelled "SwiftPay" pay $10.99 as your customer access number enter "4 8 7 0 9 3 0 1 0 1 3 0 8 6 9 7"
you may sign any name, i.e John Doe.
and wait for a receipt from the clerk. Look on the top right-hand corner of the receipt for a number that starts with CIDN: i.e CIDN: 203-093-1903
comback to this computer an enter your CIDN number. The uninstall process will begin.

note: if you don't pay exactly $10.99 you will generate an invalid CIDN number and be forced to start all over.

If you have a valid CIDN: Number and have problems uninstalling send a reuqest to
unlock3713@yahoo.com
I will research the problem and if applicable send a alternate CIDN: universal key by email.
-----


The Trojan then creates the file %Windir%\dat1.bat and executes it. This will perform a number of cd, dir and tree comands, which do not harm your system.

The Trojan might create the file %System%\bat.bat and execute it. This will after a delay shutdown the system.

The Trojan executes multiple processes if some of them are terminated it displays the following message:

Yeah, We don't die, We multiply!
Ctrl+Alt+Del isn't quite working today, is it? I'm not the sharpest tool in the shed but
Crtl+Alt+Del is everyone's S.O.S

Writeup By: Candid Wueest