Zeus Trojan with Ransomware Bonus

Wednesday, May 23, 2012 @ 12:05 PM gHale

Ransomware remains a popular tactic to cajole users into giving up funds to unlock their system.

It is no surprise then, there is a new piece of malware out there that has a ransomware component added in.

Java Drive-by Doubles Effort
Ransomware Hits U.S., Canada
New Ransomware Gets Tough
New Ransomware Hits Cyber Street

One this new Zeus 2.x variant executes, it first opens Internet Explorer and points it towards a specific URL (lex.creativesandboxs.com/locker/lock.php). At the same time, a user ends up blocked from doing anything on his computer, said researchers at F-Secure.

The site in question is now offline, so it is difficult to say for sure what it contained. The command for “unlocking” the computer is present on the computer, in the registry, so it is possible to do so without paying the ransom.

According to the researchers, users who have found themselves effectively locked out of the computer must do the following:
1. Boot the system in safe mode
2. Add a new key named syscheck under HKEY_CURRENT_USER
3. Create a new DWORD value under the syscheck key
4. Set the name of the new DWORD value to Checked
5. Set the data for the Checked value to 1
6. Reboot

The threat of having their financial and login information stolen after unlocking the computer is still present, as these steps haven’t rid them of the malware.

Leave a Reply

You must be logged in to post a comment.