February 3, 2012
Recent months saw many versions of Trojan-blockers, showing extortion demands in English, French, German and other European languages. As a rule, they have different architectures and different unlock routines which may be unlocking with a code or automatically after a certain period of time. Compared with them, Trojan.Winlock.5416 is a rather primitive extortion program that has neither the unlock code nor routines for checking the system locale and runs on all Windows machines. There are several signatures for this type of Trojan horses in the Dr.Web virus database. Most of the known species of this type show the German text in the blocking window, but Trojan. Winlock.5416 is a bit different:
The message is in Arabic and informs the user that the computer has been blocked because it has been used to access adult content and view children violence video which violates Saudi Arabia law. The user is threatened by the Sharia court and offered to pay $300 by buying a Ucash prepaid card and entering its code in the blocker window. This code is sent to the criminals' site (hosted in Latvia). The Trojan horse makes no other destructive action.
It should be noted that this is the first example of a Trojan horse blocker that shows messages in Arabic known to Doctor Web. The Trojan horse removal procedure is quite standard for this type of malicious software, and therefore does not deserve a separate description. Trojan.Winlock.5416 signature has been added into the Dr.Web virus database.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.