Virus:Win64/Expiro.AB

Trojan:Win32/Tobfy.A is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image.

The image contains fake instructions and misleading information about a ransom that you need to pay to regain control of your computer. The image misleadingly invokes legal authorities in an attempt to convince you to pay the ransom.

Installation

Trojan:Win32/Tobfy.A may have a random file name. It may be a hidden file.

It creates the following registry entry to allow it to automatically run every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<malware file name>"

Payload

Terminates processes

Trojan:Win32/Tobfy.A terminates the following process names if they are currently running in your computer:

• cmd.exe - Command prompt
• msconfig.exe - System configuration utility
• regedit.exe - Registry editor
• taskmgr.exe - Task manager

It also closes windows that have the title "Program Manager".

Disables drivers and services

Trojan:Win32/Tobfy.A disables devices, services, and drivers when the computer starts in Safe Mode and Safe Mode with Networking. It does this by renaming the following registry keys:

• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net

Blocks computer access

Trojan:Win32/Tobfy.A prevents you from accessing your computer by displaying an image similar to the following:

The image contains instructions and information about a ransom payment to allow you to regain access to your computer. However, the image may invoke a legal authority in an attempt to add false credibility to its request. The legal authority is in no way actually connected to the image.

The image is downloaded from certain websites.

Additional information

We have observed Trojan:Win32/Tobfy.A using a variety of legitimate payment and financial transfer services, including the following:

• Green Dot MoneyPak
• Paysafecard
• Ukash
• Ultimate Game Card

Note: These providers are not affiliated with Trojan:Win32/Tobfy.A.

If you believe you are a victim of fraud involving one of these services, you should contact them, along with your local authorities.

Analysis by Zarestel Ferrer