This malicious program demands a ransom in exchange for the content of an encrypted archive. It is a Windows application (PE EXE file) and is 5 137 408 bytes in size. It is packed using VMProtect and is written in C++.
Once launched, the Trojan creates the following system registry key:
Then, the Trojan displays the following window:
After confirmation of "I agree with the rules", selection of the location for unpacking, and the "Unpack" button is pressed, the malware imitates the process of unpacking the files. At a certain stage, this process stops and the user is prompted to complete some fields in a form, then send an SMS containing the text
to one of these payable numbers:
While sending the confirmation message, the Trojan carries out the following HTTP request:
GET /functions/sms-api/sms_from_soft.php?user_phone= 7
&flow_id=1&platnik_id=0&num =2855&pt=1 HTTP/1.1 User-Agent: Mozilla/3.0 (compatible; Indy Library) Host: sti***ofit.com Cache-Control: no-cache
In response, the server sends back an integer, for example, "216".
The "Support service" link points to the resource:
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following system registry key (see What is a system registry and how do I use it?):
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).