NEWS FROM THE LAB - Monday, April 11, 2011

Video - "Windows Activation" Ransom Trojan Posted by Sean @ 14:57 GMT

We recently came across a ransom trojan that prompts the following:

"Windows license locked!"


The trojan claims that "you should complete activation" and provides several phones numbers.


The numbers:

  •  002392216368
  •  002392216469
  •  004525970180
  •  00261221000181
  •  00261221000183
  •  00881935211841

While these numbers may look like generic service numbers, they aren't. They go to various countries ("00" is the prefix for international dialing). The countries are: S�o Tom� and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819).

The trojan claims that the call is "free of charge" but it isn't, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries.

After three minutes or so, the caller is given this unlock code: 1351236.

The unlock code appears to be the same every time the number is called.

It's a pretty clever bit of social engineering and some victims may never even realize that they've been scammed.

Here's a video demonstration on the Labs YouTube channel, which also includes some discussion of other ransom trojans.

The GPcode screenshots referenced in the video can be seen here and here.

We detect this trojan (md5: 9a6f87b4be79d0090944c198a68012b6) as Trojan.Generic.KDV.153863.

A full audio recording of our call to the ransom number is here (MP3, 4 minutes).