February 3, 2012

Doctor Web's virus analysts discovered a new Trojan.Winlock modification threatening residents of Arab countries. Trojans horses of this family are widely known in Russia since 2010. Later, Trojan.Winlocks targetting users in other countries appeared. In particular, the recently discovered Trojan.Winlock.5490, operates in systems with French set as the default language.

Recent months saw many versions of Trojan-blockers, showing extortion demands in English, French, German and other European languages. As a rule, they have different architectures and different unlock routines which may be unlocking with a code or automatically after a certain period of time. Compared with them, Trojan.Winlock.5416 is a rather primitive extortion program that has neither the unlock code nor routines for checking the system locale and runs on all Windows machines. There are several signatures for this type of Trojan horses in the Dr.Web virus database. Most of the known species of this type show the German text in the blocking window, but Trojan. Winlock.5416 is a bit different:

The message is in Arabic and informs the user that the computer has been blocked because it has been used to access adult content and view children violence video which violates Saudi Arabia law. The user is threatened by the Sharia court and offered to pay $300 by buying a Ucash prepaid card and entering its code in the blocker window. This code is sent to the criminals' site (hosted in Latvia). The Trojan horse makes no other destructive action.

It should be noted that this is the first example of a Trojan horse blocker that shows messages in Arabic known to Doctor Web. The Trojan horse removal procedure is quite standard for this type of malicious software, and therefore does not deserve a separate description. Trojan.Winlock.5416 signature has been added into the Dr.Web virus database.