Blog Archive

Monday, 17 May 2010

Windows “activation” ransomware

Trojan-Ransom.Win32.Winac.A

Our analyst Adam Thomas found this: a piece of ransomware that locks up Windows until you enter your credit card data.

First it claims you are running a pirated version of Windows and they need your billing details. “…but your credit card will NOT be charged.”


And of course that’s true.

1a

Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate:

2a

Basically, the Trojan locks your system. The only thing you can do is complete the "activation".  You can choose to "activate windows" or "do it later". If you choose to do it later, you machine reboots.

If you go through the process of entering your data (including your credit card number), then your system will work again.

3a

Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it.


Winac_flux1


Winac_flux3

4a


VIPRE detects it as Trojan-Ransom.Win32.Winac.A

Thanks Adam

Tom Kelchner


 

No comments:

Post a Comment