Follow:

 

Trojan:Win32/Ransirac.G


Trojan:Win32/Ransirac.G is a trojan that locks the affected user's computer, and attempts to scare and intimidate the user into paying money to regain access to their infected computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional remediation instructions for Trojan:Win32/Ransirac.G:

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following articles:

Additional recovery instructions
This threat uses stealth, and you may need to boot to a trusted environment in order to remove it. The threat may also make changes to your computer that makes it difficult for you to download, install or update your virus protection, whether you have a complete antivirus such as Microsoft Security Essentials installed on your computer or not.

If you suspect your computer has been compromised, we recommend using the Windows Defender Offline to detect and remove this threat.

Using Windows Defender Offline

The way Windows Defender Offline works, is by allowing you to:

  • Download a copy of the tool from a computer that has access to the internet
  • Save a copy of the recovery tool to a removable drive, in order to create bootable media
  • Run the recovery tool on a compromised computer

You might want to use Windows Defender Offline when:

  • You need to scan your computer to check for rootkits and other malware
  • You are infected with malware that prevents you from downloading and installing an antivirus or the latest updates for your antivirus software
  • Your antivirus does not detect or remove advanced malware, such as a rootkit

Note: Windows Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start or otherwise effectively scan your infected computer due to a virus or other malware actively running on the computer and impeding the effective action of antimalware software. For no-cost, real-time protection that helps guard your home or small business computers against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

  1. Determine if you require the 32-bit or 64-bit download.

    See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bit architecture of the Windows operating system.
  2. Using a computer that can connect to the internet, download the version of the Windows Defender Offline that applies to the affected computer.

    If the affected computer is a:

    - 32-bit computer, then download the 32-bit version here.
    - 64-bit computer, then download the 64-bit version here.

    Note: In order for the recovery tool to be effective, make sure you download the version that matches the architecture of the affected computer. For example, if your 64-bit desktop is affected, you will need to download the 64-bit version of the Windows Defender Offline and save it to a removable drive.
  3. Save the downloaded file to a local drive on your computer.
  4. Launch the downloaded file, and create a bootable device by following the instructions on the wizard.

    Note: We recommend creating a bootable USB or CD; if you create a bootable USB, this can be updated for future use.
  5. From the affected computer, boot from the USB or CD you created in step 4.

    Note: You may need to set the boot order in the BIOS to do this. This will be device specific, so if you are unsure, refer to your system manual or manufacturer.
  6. Follow the prompts to run a full system scan.

    Depending on the outcome of the scan, your next steps will vary. Follow the prompts from Windows Defender Offline to manage any threat detections.

Steps you can take once your computer has been cleaned

  • Install security software, such as Microsoft Security Essentials, or other products that provide a complete, real-time antivirus solution.
  • Keep your antivirus up to date by making sure you have the latest definitions.
  • Use the Microsoft Safety Scanner if you suspect you are infected but are unable to confirm this with your existing antivirus solution.

Threat behavior

Trojan:Win32/Ransirac.G  is a trojan that locks the affected user's computer, and attempts to scare and intimidate the user into paying money to regain access to their infected computer.

Installation

When executed the malware copies itself as "gema.exe" to the following locations:

  • <system folder>
  • c:\documents and settings\all users\application data\gema
  • c:\documents and settings\administrator\application data\gema

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

It modifies the following registry entries to ensure its execution at each Windows start:

In subkey: HKLM\software\Microsoft\Windows\CurrentVersion\Run
Sets value: "gema"
With data: "<system folder>\gema.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon
Sets value: "userinit"
With data: "<system folder>\gema.exe,<system folder>\userinit.exe,"

In subkey: HKCU\software\Microsoft\Windows\CurrentVersion\Run
Sets value: "gema"
With data: "<AppData>\gema\gema.exe"

In subkey: HKCU\software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "shell"
With data: "<AppData>\gema\gema.exe,explorer.exe"

Payload

Displays messages

Once infected, Trojan:Win32/Ransirac.G displays a message which is designed to trick the user into paying money to 'unlock' the computer, so they can regain access.

It contacts the following domains to download HTML, which is then displayed by the trojan:

  • elektropedi.com
  • fazlaoluyoruz.com
  • gunestekstilemlak.com
  • keremcatak.com.tr

Below is an example of a message it displays when it locks the computer, where the affected user is accused of illegally downloading music files:

It should be noted that in order to appear legitimate, the HTML uses style sheet information and images from the real organization's website GEMA, which it attempts to mimic.

Terminates processes

The trojan checks for, and terminates the following process if found running on the affected computer:

  • procexp.exe
  • taskmgr.exe
Additional information

The trojan may also write the following file:

"win.ini"

under directory

%windir%

Analysis by Ray Roberts


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    gema.exe

  • The presence of the following registry modifications:

    In subkey: HKLM\software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "gema"
    With data: "<system folder>\gema.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon
    Sets value: "userinit"
    With data: "<system folder>\gema.exe,<system folder>\userinit.exe,"

    In subkey: HKCU\software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "gema"
    With data: "<AppData>\gema\gema.exe"

    In subkey: HKCU\software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "shell"
    With data: "<AppData>\gema\gema.exe,explorer.exe"

  • The display of the following message:


Prevention


Alert level: Severe
First detected by definition: 1.121.548.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 28, 2012
This entry was first published on: Mar 16, 2012
This entry was updated on: Aug 27, 2013

This threat is also detected as:
  • Win32/Gataka.A (ESET)
  • Trojan-Dropper.Win32.Injector.dnhz (Kaspersky)