Follow:

You have been re-routed to the Ransom:Win32/Genasom.DR write up because Trojan%3aWin32%2fRansom.DR has been renamed to Ransom:Win32/Genasom.DR
 

Ransom:Win32/Genasom.DR


Microsoft security software detects and removes this threat.

This threat stops you from loading Windows and displays a full-screen message, commonly called a "lock screen". If this threat asks you to pay a fee or fine, do not pay it. The message is a fraud.

It tries to scare you into paying a fine or texting a premium-charge phone number to unlock your PC.

You can read more on our ransomware page.



What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat might arrive on your PC with a random file name. When run, it changes its file attributes to hidden. It also creates a registry entry so that it automatically runs every time Windows starts.

Payload

Disables drivers and services

The threat disables devices, services, and drivers if your PC starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry key:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal - renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\M
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network - renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\N

Blocks PC access

It prevents you from accessing your desktop by showing an image across your screen. The image contains instructions to send an SMS to a premium number so that you can regain access to your PC. The image might look like this:

It also stops EXPLORER.EXE and TASKMGR.EXE and disables mouse control.

Analysis by Zarestel Ferrer


Symptoms

The following could indicate that you have this threat on your PC:

  • Your desktop might have been replaced with the following image:
  • You might not be able to use your mouse.

Prevention


Alert level: Severe
First detected by definition: 1.105.1740.0
Latest detected by definition: 1.185.2481.0 and higher
First detected on: Jun 10, 2011
This entry was first published on: Jun 10, 2011
This entry was updated on: Jun 13, 2014

This threat is also detected as:
  • Trojan-Ransom.Win32.Fullscreen.jo (Kaspersky)
  • Trojan.Winlock.3333 (Dr.Web)
  • Win32/LockScreen.AGU trojan (ESET)
  • Trojan-Ransom.Win32.Fullscreen (Ikarus)
  • Ransom!ds (McAfee)