The company “Doctor Web” reported the appearance of a new modification of the program-blocker operating system, which received the name Trojan.Winlock.5490. This malicious application is dangerous mainly for French users Microsoft Windows.
Trojan.Winlock.5490, written in C language, runs only on PCs, operating system, which has a French localization. The Trojan has a built-in Anti debugging: the boot process, it checks whether it is running the process in an environment of virtual machines VirtualBox, QEmu, VMWare and others, and if the presence of a virtual machine is found, the Trojan terminates. Recall that a significant portion vinlokov working offline. They contain an unlock code or system in their own resources (in an open or encrypted form), or calculate it based on the number of parameters, or do not have this code at all. Trojan.Winlock.5490 refers to the last category of programs for extortion: the Trojan deletes itself automatically a week after installation, however, blocked the operating system, it is “knock” on the remote server attacks, sending back information about the infected machine, the victim entered payment card rooms and receives a response command “OK.”Once on a victim’s computer, Trojan.Winlock.5490 launches the svchost.exe process and injects it into your own code, and then sends a command to hide the Windows taskbar and stop the flow of all processes explorer.exe and taskmgr . exe.The Trojan then registers itself in the registry branch, responsible for the startup applications and demonstrates the on-screen window that contains text in French, with the requirement to pay 100 euros with the Payment Card payment systems Paysafecard or Ukash. Entered the victim card number is sent to the remote command server attacks, and in response to the Trojan shows a message similar to the following: “Wait! Payment will be processed within 24 hours. “Because this Trojan does not use the unlock code affected by its actions, users are advised to validate the computer to boot using Dr.Web LiveCD. You can also try to change the computer’s BIOS date (rearrange it for a few months in advance) and check the disk with curing utility Dr.Web CureIt! , either individually removed from the registry hive Software Microsoft Windows CurrentVersion Run data triggered module troyantsa .