You have been re-routed to the Trojan:Win32/Tobfy.A write up because Trojan%253aWin32%252fTobfy.A has been renamed to Trojan:Win32/Tobfy.A


Trojan:Win32/Tobfy.A is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image.

What to do now

This threat changes registry data that will not be restored by detecting and removing this threat. To return registry data on an affected computer to its pre-infected state, run System Restore:

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

In some cases, Trojan:Win32/Tobfy.A may make lasting changes to your computer that will NOT be restored by detecting and removing this threat. To regain access to your computer, you may have to reinstall Windows.

Threat behavior

Trojan:Win32/Tobfy.A is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image.

The image contains fake instructions and misleading information about a ransom that you need to pay to regain control of your computer. The image misleadingly invokes legal authorities in an attempt to convince you to pay the ransom.


Trojan:Win32/Tobfy.A may have a random file name. It may be a hidden file.

It creates the following registry entry to allow it to automatically run every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<malware file name>"


Terminates processes

Trojan:Win32/Tobfy.A terminates the following process names if they are currently running in your computer:

  • cmd.exe - Command prompt
  • msconfig.exe - System configuration utility
  • regedit.exe - Registry editor
  • taskmgr.exe - Task manager

It also closes windows that have the title "Program Manager".

Disables drivers and services

Trojan:Win32/Tobfy.A disables devices, services, and drivers when the computer starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry keys:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net

Blocks computer access

Trojan:Win32/Tobfy.A prevents you from accessing your computer by displaying an image similar to the following:

The image contains instructions and information about a ransom payment to allow you to regain access to your computer. However, the image may invoke a legal authority in an attempt to add false credibility to its request. The legal authority is in no way actually connected to the image.

The image is downloaded from certain websites.

Additional information

We have observed Trojan:Win32/Tobfy.A using a variety of legitimate payment and financial transfer services, including the following:

Note: These providers are not affiliated with Trojan:Win32/Tobfy.A.

If you believe you are a victim of fraud involving one of these services, you should contact them, along with your local authorities.

Analysis by Zarestel Ferrer


System changes

The following system changes may indicate the presence of this malware:

  • You cannot access your computer
  • You see an image similar to the following on your desktop:

  • Task Manager, Command Prompt, and Registry Editor fail to run properly


Alert level: Severe
First detected by definition: 1.129.1679.0
Latest detected by definition: 1.163.1623.0 and higher
First detected on: Jul 14, 2012
This entry was first published on: Jul 14, 2012
This entry was updated on: Oct 04, 2013

This threat is also detected as:
  • Trojan.Win32.Buzus.lzqq (Kaspersky)
  • W32/Cridex.R (Norman)
  • TR/Buzus.lzqq (Avira)
  • Gen:Variant.Graftor.41228 (BitDefender)
  • Trojan.Winlock.6673 (Dr.Web)
  • Win32/LockScreen.AKU trojan (ESET)
  • TROJ_SPNR.0BI312 (Trend Micro)