Follow:

You have been re-routed to the Virus:Win32/Expiro.gen!AS write up because Trojan:Win32/Tobfy has been renamed to Virus:Win32/Expiro.gen!AS
 

Virus:Win32/Expiro.gen!AS


Microsoft security software detects and removes this threat. 
 
This family of ransomware trojans targets people from certain countries. It locks your PC and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.

Some variants might also take webcam screenshots, play an audio message pretending to be from the FBI, closes or stops processes or programs, and prevents certain drivers from loading in safe mode - possibly to stop you from attempting to disable the trojan.

Variants of Trojan:Win32/Tobfy might make lasting changes to your PC that make it difficult for you to download, install, run, or update your antivirus software.



What to do now

Some variants of Trojan:Win32/Tobfy might make lasting changes to your PC that make it difficult for you to download, install, run, or update your virus protection.

The following Microsoft software detects and removes this threat:

However, because this threat can lock your screen, you might not be able to download or run antivirus or antimalware software. If that happens, you will need to use Windows Defender Offline:

The following articles might help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Tobfy also tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

Threat behavior

Trojan:Win32/Tobfy might arrive on your PC via a drive-by download. The folders it downloads to might vary between installations of the ransomware.

You might also inadvertently download it - thinking you were downloading something else - as it has been known to pose as the installer for certain popular applications, such as uTorrent ("uTorrent.exe"), Skype ("Skype.exe"), ICQ ("ICQ.exe"), and the Opera browser ("Opera.exe").

Installation

Depending on the variant and the version of your operating system, Trojan:Win32/Tobfy might modify any of the following registry entries to ensure its copy runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svñhîst"
With data: "<malware file name>", for example "uTorrent.exe" or "Skype.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svñhîst"
With data: "<malware file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "GoogleChrome"
With data: "<malware file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Updater"
With data: "<malware file name>"

Some variants do not use a specific name for the "value", for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<malware file name>"

Payload

Prevents you from accessing your desktop

Variants of the Trojan:Win32/Tobfy family display a full-screen webpage that they download from a remote host (this page is also known as a "lock screen"). The page covers all other windows, rendering your PC unusable. It is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your PC a usable state, so this is not advisable.

These displayed webpages might be detected as a variant of the Trojan:HTML/Ransom family, such as Trojan:HTML/Ransom.D. The webpage can either be downloaded or embedded in the trojan's code.

Some examples of localized webpages that variants of Trojan:Win32/Tobfy might display are reproduced here.

Images pretending to be from the Federal Bureau of Investigation; the FBI:

 

An image pretending to be from the International Police Organization; Interpol:

Some variants will also display message boxes such as the following:

Connects to remove servers 

In the wild, we have observed Trojan:Win32/Tobfy downloading the webpages from the following URLs via HTTP port 80:

  • <removed>.105/picture.php
  • <removed>.109/picture.php
  • <removed>.132/hsodfhj2iebf/lic.php
  • <removed>.160/adm10187/lic.php
  • <removed>.160/picture.php
  • <removed>.188/410tta0ewm/lic.php
  • <removed>.191/admsec/lic.php
  • <removed>.22/picture.php
  • <removed>.234/picture.php
  • <removed>.248/picture.php
  • <removed>.28/zzmm/picture.php
  • <removed>.52/picture.php
  • <removed>.66/picture.php
  • <removed>.83/picture.php
  • <removed>.86/picture.php
  • <removed>.com/34534663525/lic.php
  • <removed>.com/adminka/lic.php
  • <removed>.com/picture.php
  • <removed>.com/ses/picture.php
  • <removed>.com/web500/picture.php
  • <removed>.hdd1.ru/Silence/read.php?nm=32432
  • <removed>.hdd1.ru/Silence/lic.php
  • <removed>.hopto.org/adm/lic.php
  • <removed>.la2host.ru/Silence/read.php?nm=32432
  • <removed>.org/lll/picture.php
  • <removed>.pl/ses/picture.php
  • <removed>.roshoster.com/Silence/lic.php
  • <removed>.ru/picture.php
  • <removed>.srv0.test-hf.ru/Silence/lic.php
  • <removed>.us/picture.php
  • <removed>.xclan.ru/Silence/lic.php
  • <removed>.xclan.ru/Silence/read.php?nm=32432
  • <removed>151.10/picture.php
  • <removed>156.30/adm27117/lic.php
  • <removed>156.30/adm52807/lic.php
  • <removed>160/adm27117/lic.php
  • <removed>-scripts.org/kjdhfls3u6/picture.php
  • <removed>-security.ru/app/picture.php
  • www2.<removed>.su/get.php?id=14

We have also observed the pages being downloaded from the following URLs:

  • <MachineID>.<removed>.su/get.php?id=14
  • <MachineID>.<removed>.ru/get.php?id=22

where <MachineID> is a unique number based on your hard drive's serial number.

Some of these URLs will only return webpages if your PC is located in a certain geographical location; others will return webpages regardless of your location.

We have observed variants of the Trojan:Win32/Tobfy family connecting to the following hosts to confirm your payment information:

  • hxxp://109.72.156.30/<removed>/lic.php
  • hxxp://193.150.0.188/<removed>/lic.php
  • hxxp://213.179.207.160/<removed>/lic.php
  • hxxp://213.179.207.160/<removed>/lic.php
  • hxxp://37.230.116.119/<removed>/lic.php
  • hxxp://5.187.1.191/<removed>/lic.php
  • hxxp://64.31.17.209/<removed>/lic.php
  • hxxp://83.69.236.132/<removed>/lic.php
  • hxxp://93.190.44.239/<removed>/lic.php
  • hxxp://market-place2011.com/<removed>/lic.php

Takes webcam snapshots

Trojan:Win32/Tobfy uses your PC's webcam, if you have one installed, to show you your own video. This is likely an attempt to make the threat of prosecution seem legitimate, which could encourage you into paying the "fine".

Some variants, such as Trojan:Win32/Tobfy.F, do not prevent access to your PC by presenting a lock screen. Instead, the variant will check if you have a webcam, attempt to capture still-images from your camera, and save them to a file as "%TEMP%\snapz.dib".

The variant sends this file to a website (for example, "diamondnet.info") via HTTP POST. (HTTP POST is a type of basic Internet communication between your PC and a website.)

Repeatedly issues an audio warning

Trojan:Win32/Tobfy drops an audio (MP3) file, detected as Trojan:Win32/Tobfy!mp3. The audio file contains a message, which the trojan plays through your PC's  speakers. The message plays repeatedly and cannot be stopped. The message states:

"FBI warning. Your computer is blocked for violation of federal law."

Stops processes

Trojan:Win32/Tobfy stops the following Windows system-related processes if they are currently running on your PC:

  • cmd.exe - command prompt
  • msconfig.exe - system configuration utility
  • regedit.exe - Registry Editor
  • taskmgr.exe - Task Manager

Trojan:Win32/Tobfy also closes windows that have the title "Program manager" (for example, "progman.exe").

Disables drivers and services

Trojan:Win32/Tobfy disables devices, services, and drivers when the PC starts in safe mode and safe mode with networking. It does this in two ways:

  1. It renames the following registry keys:
    • "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" is renamed to "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini"
    • "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" is renamed to "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net"
  2. It deletes the registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot="

It might do this to prevent you from starting your PC in safe mode and attempting to disable the ransomware.

Additional information

Payment methods

We have observed Trojan:Win32/Tobfy using a variety of legitimate payment and financial transfer services, including the following:

Note: These providers are not affiliated with Trojan:Win32/Tobfy.

If you believe you are a victim of fraud involving one of these services, you should contact them along with your local authorities.

Please also see the following Microsoft advisory for additional advice:

Technical information

Variants of Trojan:Win32/Tobfy will not continue to run when any of the following Windows Classname, Windowname pairs are satisfied.

  • gdkWindowToplevel, 0 (possibly geany.exe, which is a tool used to find invisible dialog boxes)
  • PROCMON_WINDOW_CLASS, 0 (Procmon.exe, which is a process monitor from Sysinternals)

Variants of the family will also exit if the malware's process is running under a debugger.

Related encyclopedia entries

Trojan:HTML/Ransom.D

Trojan:Win32/Tobfy.F

Trojan:Win32/Tobfy!mp3

Analysis by Rodel Finones


Symptoms

The following could indicate that you have this threat on your PC:

  • You might be unable to access your PC, and instead see any of the following images:
     
    Images pretending to be from the Federal Bureau of Investigation; the FBI:
     

      

      
     
     
    An image pretending to be from the International Police Organization; Interpol:
     

     
  • The following message or warning boxes:
     

     

Prevention


Alert level: Severe
First detected by definition: 1.175.549.0
Latest detected by definition: 1.175.578.0 and higher
First detected on: May 27, 2014
This entry was first published on: May 21, 2012
This entry was updated on: Oct 28, 2013

This threat is also detected as:
  • Trojan/Win32.Jorik (AhnLab)
  • Trojan/Win32/PornoAsset (AhnLab)
  • Trojan:Win32/Yakes (AhnLab)
  • Trojan.Win32.Jorik.Zbot (Kaspersky)
  • Trojan.Win32.Yakes (Kaspersky)
  • Trojan-Ransom.Win32.PornoAsset (Kaspersky)
  • W32/Kryptik (Norman)
  • W32/Ransom (Norman)
  • TR/Tobfy.H.15 (Avira)
  • TR/Yakes.blvl (Avira)
  • Trojan.Winlock (Dr.Web)
  • Win32/LockScreen.ANX (ESET)
  • Win32.LockScreen.AKU (ESET)
  • Trojan.Win32.Tobfy (Ikarus)
  • Trojan.Win32.Yakes (Ikarus)
  • Trojan-Ransom.Win32.PornoAsset (Ikarus)
  • Mal/BcCheMan-A (Sophos)
  • Mal/EncPk-AHQ (Sophos)
  • Mal/Gataka-IJ (Sophos)
  • Mal/Katusha-M (Sophos)
  • Trojan.Ransomlock!g21 (Symantec)
  • TROJ_RANSOM.SMJP (Trend Micro)