Welcome to the Virus Encyclopedia of Panda Security.
Ransom.AB is a Trojan designed to blackmail users, by blocking the computer, so that users cannot work with it.
Ransom.AB carries out the following actions:
- It reaches the computer in a file which has the following icon, passing itself off as a video with content for adults:
- When the file is run, a wallpaper is displayed on screen and the computer is blocked.
- The message displayed on screen informs users that they have to send an SMS and pay $12, so that they can receive some code to unblock the computer.
- If users do not have the OS in Russian or the corresponding language packet installed, they will see the message in the following way:
- In this case, the key necessary to unblock the computer is: ~2058205~. However, this key changes depending on the file users have run.
- Additionally, it disables the following options:
- the Task manager, preventing users from viewing the processes that are being run.
- restarting the computer in Safe mode. In this mode, the Trojan would not be run, so the computer would not be blocked and the malware could be deleted.
Ransom.AB creates the following entry in the Windows Registry in order to disable the Task manager:
DisableTaskMgr = 1
Ransom.AB modifies the default value of the following entry from the Windows Registry in order to be run whenever Windows is started:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe
Ransom.AB deletes the subkeys from the following Windows Registry entry, in order to prevent the computer from being restarted in Safe mode:
Means of transmission
Ransom.AB usually reaches the computer via email in files with names like:
The following is an example:
It can also reach the computer when users click on certain links or pop-up windows.
Ransom.AB is 264,704 bytes.