Troj/Blocker-D

Category: Viruses and SpywareProtection available since:03 Jan 2011 08:17:49 (GMT)
Type: TrojanLast Updated:03 Jan 2011 08:17:49 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

This Trojan blocks the machine and asks to send small amount of money (400RUR) (.RU Mobile Operator). Below the list of possible phone numbers (about 10 in total):

89853651218
89165738125
89859944361
89854388839
89852712919
89163338661
89851313765
89851313821
89165852056
89851313807

If you have NOT rebooted your machine - try CTRL-ESC or CTRL-ALT-ESC first - to minimize ransom program and kill it. If you rebooted your machine already, following trick may help:

- Hit "Win+U" to evoke Windows "Narrator" tool (it would run invisible for the start);
- Hit (probably several times) CTRL+ALT+ESC or ALT+ESC to switch to Narrator' Window. Once you did it, you have obtained the access to basic Windows tools and you can try to find and exterminate malware. Usually it has a name like "xxx_video_14630.avi.ex" or "MSTSC.exe";
- (On Narrator's screen) hit "Help" to evoke Windows Help manager ("Utility Manager");
- Click on "Options", then "help", then "Help and Support";
- Next (for example) click on "Pick a task -> System Restore" -> get into System Restore dialog->Advanced->Startup and Recovery->Settings->Edit. As you evoked Windows Notepad and then "Browser", you can find (in system32) cmd.exe, copy it and replace Trojan with it (Trojan would be replaced with cmd.exe, but with the same name);
- Once you got Trojan replaced with command line processor (cmd.exe), you got rid from ransom malware and you can run RegEdit/Explorer or another tool from command line (after reboot).

Troj/Blocker-D exhibits the following characteristics:

Other vendor detection

Avira
TR/Ransom.BO.2
Kaspersky
Trojan-Ransom.Win32.PornoBlocker.bgb

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Outlook Express
    palo
    1091112201
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
    AlternateShell
    c:\test_item.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    c:\test_item.exe