November 16, 2012

Virus analysts from Russian anti-virus company Doctor Web are warning users about a new Windows blocker program from the notorious Trojan.Winlock family that is wreaking havoc on PCs in Russia. The program has been dubbed Trojan.Winlock.7372. Unlike its kin, this malware doesn't incorporate any messages or images; instead it obtains everything necessary from the Internet, and its targets are outside Russia..

The first Windows blockers to compromise machines in Europe appeared in the autumn of 2011, and before that, the malignantscheme had been successfully tested and honed by hackers in Russia. This malicious program is distributed by similar programs from the Backdoor.Umbra family. The Trojan.Winlock.7372 architecture in no way resembles that of other extortionist Trojans. First, there are no images, texts or other resources necessary to display an extortion message on the screen once access to Windows has been blocked. Trojan.Winlock.7372 downloads all required data from a remote server, and the block screen is an ordinary web page.

When launched on an infected computer, Trojan.Winlock.7372 registers itself in the system registry branch responsible for start-up programs, and then runs an endless loop to search and stop a number of applications and system utilities. These include the Task Manager, Notepad, Registry Editor, Command Prompt, System Configuration, Microsoft Internet Explorer, Google Chrome, Firefox, Opera, ProcessHacker and Process Monitor. The Trojan also utilizes a rarely used routine to disable the firewall. Trojan.Winlock.7372 then creates an invisible full-screen window displaying a web page containing a demand to pay for unlocking the operating system.

Attackers require that the victim pay $200, and the payment confirmation code is sent to the server controlled by criminals over the network. Anyone attempting to access the control server will be prompted to enter a login and password in a browser window. The Trojan network control center allows attackers to monitor the spread of Trojan.Winlock.7372 and change its settings.

The signature of the threat has been added to the Dr.Web virus database, so it does not pose a serious danger to systems protected by Dr.Web software.