Follow:

You have been re-routed to the Trojan:Win32/Ransom.DR write up because Trojan%3aWin32%2fRansom.DR has been renamed to Trojan:Win32/Ransom.DR
 

Trojan:Win32/Ransom.DR


Microsoft security software detects and removes this threat.

Trojan:Win32/Ransom.DR is ransomware that prevents you from accessing your PC by covering the desktop with a certain image. The image contains instructions for you to send an SMS to a premium number to regain control of the desktop.

More information about ransomware is available in our Ransomware page.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

However, because this threat can lock your screen, you might not be able to download or run antivirus or antimalware software. If that happens, you will need to use the free tool Windows Defender Offline:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should update your security software and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation

Trojan:Win32/Ransom.DR might arrive in your PC with a random file name. When run, it changes its file attributes to hidden. It also creates a registry entry so that it automatically runs every time Windows starts.

Payload

Disables drivers and services

Trojan:Win32/Ransom.DR disables devices, services, and drivers if your PC starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry key:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal - renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\M
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network - renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\N

Blocks PC access

Trojan:Win32/Ransom.DR prevents you from accessing your desktop by showing an image across your screen. The image contains instructions to send an SMS to a premium number so that you can regain access to your PC. The image might look like this:

It also stops EXPLORER.EXE and TASKMGR.EXE and disables mouse control.

Analysis by Zarestel Ferrer


Symptoms

The following could indicate that you have this threat on your PC:

  • Your desktop might have been replaced with the following image:
  • You might not be able to use your mouse.

Prevention


Alert level: Severe
First detected by definition: 1.105.1740.0
Latest detected by definition: 1.169.2220.0 and higher
First detected on: Jun 10, 2011
This entry was first published on: Jun 10, 2011
This entry was updated on: Feb 14, 2014

This threat is also detected as:
  • Trojan-Ransom.Win32.Fullscreen.jo (Kaspersky)
  • Trojan.Winlock.3333 (Dr.Web)
  • Win32/LockScreen.AGU trojan (ESET)
  • Trojan-Ransom.Win32.Fullscreen (Ikarus)
  • Ransom!ds (McAfee)