is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image.
The image contains fake instructions and misleading information about a ransom that you need to pay to regain control of your computer. The image misleadingly invokes legal authorities in an attempt to convince you to pay the ransom.
may have a random file name. It may be a hidden file.
It creates the following registry entry to allow it to automatically run every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<malware file name>"
terminates the following process names if they are currently running in your computer:
cmd.exe - Command prompt
msconfig.exe - System configuration utility
regedit.exe - Registry editor
taskmgr.exe - Task manager
It also closes windows that have the title "Program Manager".
Disables drivers and services
disables devices, services, and drivers when the computer starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net
Blocks computer access
prevents you from accessing your computer by displaying an image similar to the following:
The image contains instructions and information about a ransom payment to allow you to regain access to your computer. However, the image may invoke a legal authority in an attempt to add false credibility to its request. The legal authority is in no way actually connected to the image.
The image is downloaded from certain websites.
We have observed Trojan:Win32/Tobfy.A using a variety of legitimate payment and financial transfer services, including the following:
Note: These providers are not affiliated with Trojan:Win32/Tobfy.A.
If you believe you are a victim of fraud involving one of these services, you should contact them, along with your local authorities.
Analysis by Zarestel Ferrer