Tag Archive

Tag Archives for " 01detectransom "

Ransom-O (uFast Download Manager)

Upon blocking it will display a Russian warning that has a translation:

Internet Access is blocked due to violation of uFast Download Manager license agreement.
You need to activate your copy.
In order to get registration code, send SMS with the code fw0627799 on number 7122.
Your code from received SMS       ‘Activate’
Warning!!! Attempt to bypass activation system may harm your computer.

It will modify Windows Registry and add the following entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\MenuOrder\Start Menu\Programs\Accessories\Communications “Order”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\MenuOrder\Start Menu\Programs\Accessories “Order”

The threat will drop the following malicious files:

  • c:\Documents and Settings\user\Application Data\uFast Download Manager\PropetyuFastManager.exe
  • %Drive%\Program Files\uFast Download Manager\ufastmanager.exe
  • %Drive%\Program Files\uFast Download Manager\uninstall.exe

Remove Trojan.Ransomlock.C

Other payload of Trojan.Ransomlock.C are as follows:

The Trojan will display a Windows Security Alert in Russian language that asked user to pay for the unlock key.

It will modify Windows Registry entries to disable Safe Mode:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\SafeMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot