This type of ransom Trojan is dropped by other malware or downloaded from the internet.
It infects the MBR (Master Boot Record) of the running system. If the Trojan is executed, it overwrites the MBR on the hard drive before the original MBR is stored in a second section.
It displays a certain message and informing you that the system is locked and that you need to pay to unlock it again. During this session, the whole boot procedure is interrupted.
Malware behavior
The Trojan comes by other dropped malware or if anybody visits a malicious website by download.
- It makes a copy of itself in the following folder:
%Userprofile%\Local Settings\Temp\x2z8.exe - Also, it drops a clean file in this folder:
%Userprofile%\Local Settings\Temp\fpath.txt
Note
If the Trojan is executed, it overwrites the original MBR and forces a restart of the operating system. After that, the following message will appear:
Solution
During our investigation, we found out that the "Unlock Code" was hard-coded into the infected MBR. The code is static and not randomly generated. So, if you are infected, please use the following key for unlocking: 21545455
We detect the Trojan as TR/Crypt.XPACK.Gen and the infected MBR as BOO/Ransom.A