Follow:

You have been re-routed to the Trojan:Win32/Ransom.JJ write up because Trojan%3aWin32%2fRansom.JJ has been renamed to Trojan:Win32/Ransom.JJ
 

Trojan:Win32/Ransom.JJ


Microsoft security software detects and removes this threat.

This threat stops you from loading Windows and displays a full-screen message, commonly called a "lock screen". If this threat asks you to pay a fee or fine, do not pay it. The message is a fraud.

It tries to scare you into paying a fine to unlock your PC.

You can read more on our ransomware page.



What to do now

Microsoft doesn't recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

The following free Microsoft software detects and removes this threat:

However, because this threat can lock your screen, you might not be able to download or run antivirus or antimalware software. If that happens, you will need to use the free tool Windows Defender Offline:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should update your security software and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then presss Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.

Threat behavior

Installation

The trojan first checks for administrative priviliges. If it doesn't have them, it prompts you to give them by displaying a User Access Control window.

Once it has administrative priviliges, it overwrites the master boot record (MBR) of the first hard disk drive (HDD) with its own code.

The trojan records the location of its file in %TEMP%\fpath.txt. It then copies itself to %TEMP%\x2z8.exe and runs that file. It deletes the original file recorded in fpath.txt and restarts your PC. 

Payload

Stops you from loading Windows

When your PC is restarted, the trojan displays a message instead of loading Windows.

The message demands the payment of a fine to remove the trojan:

When translated, the messages says:

Your computer has been blocked for watching, copying and reproducing video with elements of pedophilia, child porn and gay porn. To unlock you must pay the fine of 1500 Grivnas. You have to wire the mentioned sum to the WEBMONEY account U380679057751 using any pay terminal. In case of a successful transfer of the amount above or equal sum of money the fiscal check of the terminal will contain an unlocking code. You will need to enter unlocking code in the entry field below. Once unlocked, you should remove all materials containing elements of violence and pedophilia. In case of refusing to make a payment all data on your PC will be destroyed with no chance to recover.

Note that this message is false. The trojan will not destroy any of your files.

If the correct code is entered, the trojan restores the MBR and allows you to load Windows normally.

Additional information

The code is hardcoded inside the disk in the offset 0x1a5, in the length of byte offset 0x1a4.

Trojan:Win32/Ransom.JJ  shares some code with Trojan:Win32/Ransom.DV.

Analysis by HeungSoo David Kang


Symptoms

The following could indicate that you have this threat on your PC:

  • You can't load Windows when you turn your PC on, and you see this screen:

     

Prevention


Alert level: Severe
First detected by definition: 1.131.765.0
Latest detected by definition: 1.173.51.0 and higher
First detected on: Jul 26, 2012
This entry was first published on: Feb 25, 2014
This entry was updated on: Mar 03, 2014

This threat is also detected as:
  • Win32/MBRlock.D (ESET)
  • TR/Ransom.Mbro.ahlx (Avira)