Trojan demands "Your money or your Windows!"

Several anti-virus software suppliers are reporting a new kind of trojan that locks users out of their Windows PCs until they pay a ransom. Dr.Web says that "Trojan.Winlock", under the guise of a video codec, is so far only circulating in the Russian part of the world wide web. It gets into a computer via a download, then manipulates it so that on start-up the user is confronted with a (Russian) dialogue giving instructions for unlocking the machine. This involves sending a given numeric string to a highly priced premium SMS number in order to get the release code.

To unlock you need to send an SMS with the text xxxxxxxxxxxxxx to the number
3649
Enter the resulting code:

Any attempt to reinstall the system may lead to loss of important information and computer damage

In contrast to the GPCode encryption trojan and its successors, Trojan.Winlock doesn't manipulate files, but merely blocks access to the desktop and applications. A clued-up user could simply insert a boot CD to skip the problem, access his files and remove the trojan, but anyone less savvy might boggle at this and choose to pay up. In its Annual Threat Report in March, Trend Micro was already speculating about a probable upswing in ransomware attacks in the second quarter of this year.

The algorithm for calculating the release code is reportedly very trivial, and a practical tool that calculates the release code from the displayed numeric string is available on the Dr.Web pages.

The currently rampaging Conficker worm can also lock users out of systems, but as yet isn't demanding a ransom.

See also:

• From scareware to ransomware, a report from The H.
• This Trojan encrypts data with RSA-4096 -- really?, a report from The H.
• The H Security Conficker information site, a report from The H.

(crve)