PornoBlocker - Trojan Ransomware

January 27, 2011

SonicWALL UTM Research team received reports of a new variant of Trojan Ransomware seen in the wild. The Trojan locks down the system and asks the user to send money via premium SMS in Russia to receive the unlock code.

Process of Infection:

An unsuspecting user may download the Trojan from malicious websites. The screenshot below shows the Trojan using a movie icon.

screenshot

Once installed, the Trojan will lock down the system by displaying the image below:

screenshot

Below is the rough translation of the image:

    Attention!!!

    Your Operating System is blocked for violation of Internet usage.

    We discovered the following violations: visiting pornographic sites with elements of child porn, rape and bestiality. Storage of video files containing porn with presence of under-aged, rape, bestiality etc.

    Usage of pirated software.

    This block is intended to prevent the possibility of spreading this material over the internet.
    To remove this block you must:

    Replenish Beeline account number:
    8-903-202-99-12
    For the amount of 400 rubles

    After the payment on your receipt you will find a code, which you should enter in the field below

    When your system is unblocked you must remove all the illegal materials from your device.

    ENTER THE CODE:

The Trojan alleged that the user engages in illegal activities and have in possession materials in violation of Internet usage causing the system lock down. The message of course is a scam and just the Trojan's way to extort money from the user.

Interestingly, the unlock code is embedded in the malware and can be used to regain control of the system. Some of the unlock codes seen on different variants of this malware are the following:

  • 8875510
  • 8095147
  • 3796054

After unlocking the system, the malware will delete itself.

Installation:

Drops a copy of itself:

  • %Windows% usrinit.exe - [ detected as GAV: PornoBlocker.DMQ (Trojan) ]

Registry Changes:

Modifies the registry entry below to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: Userinit
    Old Data: "C:WINDOWSsystem32userinit.exe,"
    New Data: "C:WINDOWSsystem32userinit.exe," "C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32usrinit.exe"

Other System Modification:

Terminates the following process:

  • Task Manager

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: PornoBlocker.DMQ (Trojan)
GAV: PornoBlocker.DMS (Trojan)
GAV: LockScreen.P (Trojan)