Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Trojan.Winlock threatens Arab users with Sharia court

February 3, 2012

Doctor Web's virus analysts discovered a new Trojan.Winlock modification threatening residents of Arab countries. Trojans horses of this family are widely known in Russia since 2010. Later, Trojan.Winlocks targetting users in other countries appeared. In particular, the recently discovered Trojan.Winlock.5490, operates in systems with French set as the default language.

Recent months saw many versions of Trojan-blockers, showing extortion demands in English, French, German and other European languages. As a rule, they have different architectures and different unlock routines which may be unlocking with a code or automatically after a certain period of time. Compared with them, Trojan.Winlock.5416 is a rather primitive extortion program that has neither the unlock code nor routines for checking the system locale and runs on all Windows machines. There are several signatures for this type of Trojan horses in the Dr.Web virus database. Most of the known species of this type show the German text in the blocking window, but Trojan. Winlock.5416 is a bit different:

screen

The message is in Arabic and informs the user that the computer has been blocked because it has been used to access adult content and view children violence video which violates Saudi Arabia law. The user is threatened by the Sharia court and offered to pay $300 by buying a Ucash prepaid card and entering its code in the blocker window. This code is sent to the criminals' site (hosted in Latvia). The Trojan horse makes no other destructive action.

It should be noted that this is the first example of a Trojan horse blocker that shows messages in Arabic known to Doctor Web. The Trojan horse removal procedure is quite standard for this type of malicious software, and therefore does not deserve a separate description. Trojan.Winlock.5416 signature has been added into the Dr.Web virus database.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040