is a ransomware that targets people in Switzerland. It displays a window that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.
modifies the system registry so that it automatically starts at every Windows starts, even if Windows is restarted in Safe Mode:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Modifies value: "Shell"
From data: "explorer.exe"
To data: "<malware path and file name>"
Prevents the user from accessing the desktop
displays a full-screen image that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution such as the Swiss Federal Department of Justice and Police. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.
The image may appear as the following:
The text roughly translates to:
Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is <removed>. From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities.
queries a legitimate IP address geolocation service to determine the country and the ISP from which the infected computer is connecting to the Internet.
Connects to remote servers
has been observed to connect to the following IP address; as of this writing, the server is unavailable:
attempts to perform the following actions every 100 milliseconds:
- terminate taskmgr.exe
- suspend explorer.exe
Analysis by Horea Coroiu