We recently came across a ransom trojan that prompts the following:
“Windows license locked!“
The trojan claims that “you should complete activation” and provides several phones numbers.
While these numbers may look like generic service numbers, they aren’t. They go to various countries (“00” is the prefix for international dialing). The countries are: São Tomé and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819).
The trojan claims that the call is “free of charge” but it isn’t, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries.
After three minutes or so, the caller is given this unlock code: 1351236.
The unlock code appears to be the same every time the number is called.
It’s a pretty clever bit of social engineering and some victims may never even realize that they’ve been scammed.
Here’s a video demonstration on the Labs YouTube channel, which also includes some discussion of other ransom trojans.
We detect this trojan (md5: 9a6f87b4be79d0090944c198a68012b6) as Trojan.Generic.KDV.153863.
A full audio recording of our call to the ransom number is here (MP3, 4 minutes).
On 11/04/11 At 02:57 PM