14 DAY TRIAL // A new piece of ransomware is currently circulating in the wild and prevents victims from properly using their computers. The malicious program also displays obscene messages in an attempt to force users to recharge a mobile phone account.
Ransomware is a term used to refer to computer trojans which disable critical system functionality and ask for a ransom in order to restore it. The crimeware model is seen by many security experts as the next step in the evolution of scareware, programs which scare users into paying unnecessary license fees.
“In this case, the Trojan (which we and several other AV companies call Trojan-Ransom-Krotten) thoroughly locks down the infected system then demands payment—in the form of credit paid to the Ukrainian mobile phone provider Kyivstar, which the victim then has to transfer to the malware distributor’s account,” explains Andrew Brandt, a security researcher at security vendor Webroot, who analyzed the malicious program.
According to the malware analyst the trojan installer is called chatadmin.exe and was created with Sign 0f Misery (S0M), a tool for people who lack the programming skills necessary to create applications. Once executed on the system, the installer performs several checks, drops the payload and forces a reboot.
The system is locked down by modifying around fourty registry entries, which are normally intended for system administrators. The affect the users' ability to run most applications, open many files type, close opened windows or access the Start menu. The trojan also replaces the time in the system tray with a Russian curse word and adds an obscene message to the Internet Explorer title bar.
Every time an infected computer reboots the user is prompted with instructions to send a mobile credit recharge code for 30 Grivna (close to $4) to an email address. The message claims that people who comply with the request will receive a program that can be used to release their computer.
In order to protect themselves against this threat users should run an up-to-date and capable antivirus product. According to the Webroot researcher, the trojan installer will halt the infection process and quit if a file called 290564175.txt is located in the root of the C: drive.
You can follow the editor on Twitter @lconstantin