Discovered: April 16, 2009
Type: Removal Information
This tool is designed to generate a key to unlock computers that have been infected by Trojan.Ransomlock
How to download and run the tool
Important: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
Follow these steps to download and run the tool:
1. Download the Ransom_unlock.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/Ransom_unlock.exe
2. Save the file to a convenient location, such as your Windows desktop.
3. Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.
4. Locate the file that you just downloaded.
5. Double-click the Ransom_unlock.exe file to run the tool.
6. The following screen is displayed:
7. Note the code displayed on the dialog box on the compromised computer in the following screenshot:
Note: The code ranges from 10 to 11 numbers and may begin with "41" or "k2".
8. Choose one of the following options depending on the format of the code displayed by the threat:
- If the code displayed by the threat has the following format "41NN1234567" (where NN are two random numbers) for example "41671234567", enter the code as it is.
- If the code starts with the number "411" for example "4111234567", enter the code as it is.
- If the code starts with "k2" then enter in "4110" followed by the third, fourth, sixth, seventh, ninth and tenth digit. For example if the code is "k2670620000" you should enter in "4110676200".
10. Note the unlock code and type it into the dialog box on the compromised computer.
11. Click the button on the lower right hand side on the dialog box shown in the following screenshot:
12. Click any key to close the tool.
13. Run LiveUpdate to make sure that you are using the most current virus definitions.
14. Run a full system scan.
For security purposes, the tool is digitally signed. Symantec recommends that you use only copies of the tool that have been directly downloaded from the Symantec Security Response Web site.
If you are not sure, or are a network administrator and need to authenticate files before deployment, you should check the authenticity of the digital signature.
Follow these steps:
1. Go to http://www.wmsoftware.com/free.htm .
2. Download and save the Chktrust.exe file to the same folder in which you saved the tool.
Note: Most of the following steps are done at a command prompt. If you downloaded the tool to the Windows desktop, it will be easier if you first move the tool to the root of the C drive. Then save the Chktrust.exe file to the root of C as well.
(Step 3 to assume that both the tool and Chktrust.exe are in the root of the C drive.)
3. Click Start > Run.
4. Type one of the following:
5. Click OK.
6. In the command window, type the following, pressing Enter after typing each line:
chktrust -i Ransom_unlock.exe
7. You should see one of the following messages, depending on your operating system:
Windows XP SP2:
The Trust Validation Utility window will appear.
Under Publisher, click the Symantec Corporation link. The Digital Signature Details appears.
Verify the contents of the following fields to ensure that the tool is authentic:
Name: Symantec Corporation
Signing Time: 04/22/2009 11:09:26 AM
All other operating systems:
You should see the following message:
Do you want to install and run "Symantec Trojan.Ransomlock Key Generator Tool" signed on Wednesday, April 22, 2009 11:09:26 AM and distributed by Symantec Corporation?
The date and time in the digital signature above are based on Pacific time. They will be adjusted your computer's time zone and Regional Options settings.
If you are using Daylight Saving time, the displayed time will be exactly one hour earlier.
If this dialog box does not appear, there are two possible reasons:
The tool is not from Symantec: Unless you are sure that the tool is legitimate and that you downloaded it from the legitimate Symantec Web site, you should not run it.
The tool is from Symantec and is legitimate: However, your operating system was previously instructed to always trust content from Symantec. For information on this and on how to view the confirmation dialog again, read the document: How to restore the Publisher Authenticity confirmation dialog box.
8. Click Yes or Run to close the dialog box.
9. Type exit, and then press Enter . (This will close the MS-DOS session.)