The trojan first checks for administrative priviliges. If it doesn't have them, it prompts you to give them by displaying a User Access Control window.
Once it has administrative priviliges, it overwrites the master boot record (MBR) of the first hard disk drive (HDD) with its own code.
The trojan records the location of its file in %TEMP%\fpath.txt. It then copies itself to %TEMP%\x2z8.exe and runs that file. It deletes the original file recorded in fpath.txt and restarts your PC.
Stops you from loading Windows
When your PC is restarted, the trojan displays a message instead of loading Windows.
The message demands the payment of a fine to remove the trojan:
When translated, the messages says:
Your computer has been blocked for watching, copying and reproducing video with elements of pedophilia, child porn and gay porn. To unlock you must pay the fine of 1500 Grivnas. You have to wire the mentioned sum to the WEBMONEY account U380679057751 using any pay terminal. In case of a successful transfer of the amount above or equal sum of money the fiscal check of the terminal will contain an unlocking code. You will need to enter unlocking code in the entry field below. Once unlocked, you should remove all materials containing elements of violence and pedophilia. In case of refusing to make a payment all data on your PC will be destroyed with no chance to recover.
Note that this message is false. The trojan will not destroy any of your files.
If the correct code is entered, the trojan restores the MBR and allows you to load Windows normally.
The code is hardcoded inside the disk in the offset 0x1a5, in the length of byte offset 0x1a4.
Trojan:Win32/Ransom.JJ This threat shares some code with Ransom:Win32/Genasom.DV.
Analysis by HeungSoo David Kang
The following could indicate that you have this threat on your PC:
- You can't load Windows when you turn your PC on, and you see this screen: