Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

Panda Dome
Try the app
Panda Dome
Download

Get Panda DOME Premium today! Unlimited VPN inclueded

Save 50%

Improve your devices' performance with Panda Cleanup!

Save 25%

Call us 24/7 and get a free diagnosis 951 203 528

x
48-HOUR OFFER
50%
RENEWALS
Home users only
RENEW AT A DISCOUNT
x
48-HOUR OFFER
50%
RENEWALS Home users only
x
EXCLUSIVE OFFER
50%
RENEWALS Home users only
RENEW AT A DISCOUNT
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND
GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND
GET 50% OFF
x
SPECIAL OFFER
-50%
Buy the best antivirus
at the best price
BUY NOW AND
GET 50% OFF
x
SPECIAL OFFER
-50%
Buy the best antivirus
at the best price
BUY NOW AND
GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET 50% OFF
x
UP TO
-60%
BUY NOW
x
UP TO
-60%
BUY NOW
Get Panda DOME
Premium today!
Unlimited
VPN included
Save 50%
Active Scan. Scan your PC free

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Ransom.AB

Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Ransom.AB is a Trojan designed to blackmail users, by blocking the computer, so that users cannot work with it.

Ransom.AB carries out the following actions:

  • It reaches the computer in a file which has the following icon, passing itself off as a video with content for adults:

    File in which Ransom.AB reaches the computer
  • When the file is run, a wallpaper is displayed on screen and the computer is blocked.
  • The message displayed on screen informs users that they have to send an SMS and pay $12, so that they can receive some code to unblock the computer.
  • If users do not have the OS in Russian or the corresponding language packet installed, they will see the message in the following way:

    Message displayed by Ransom.AB
  • In this case, the key necessary to unblock the computer is: ~2058205~. However, this key changes depending on the file users have run.
  • Additionally, it disables the following options:
    - the Task manager, preventing users from viewing the processes that are being run.
    - restarting the computer in Safe mode. In this mode, the Trojan would not be run, so the computer would not be blocked and the malware could be deleted.

Infection strategy 

Ransom.AB creates the following entry in the Windows Registry in order to disable the Task manager:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
    DisableTaskMgr = 1

 

Ransom.AB modifies the default value of the following entry from the Windows Registry in order to be run whenever Windows is started:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell = Explorer.exe

 

Ransom.AB deletes the subkeys from the following Windows Registry entry, in order to prevent the computer from being restarted in  Safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

Means of transmission 

Ransom.AB usually reaches the computer via email in files with names like:

  • VIP_PORNO_54567.AVI.EXE
  • VIP_PORNO_64401.AVI.EXE
  • VIP_PORNO_75544.AVI.EXE
  • VIP_PORNO_73828.AVI.EXE

 

The following is an example:

File in which Ransom.AB reaches the computer

 

It can also reach the computer when users click on certain links or pop-up windows.

Further Details  

Ransom.AB is 264,704 bytes.

ARE YOU FACING ANY PC OR INTERNET RELATED PROBLEMS?
FREE SUPPORT INCLUDED. CALL US 24/7

powered by Anytech365