Porn Trojan Attempts Extortion
CYBERSPACE — A Trojan that installs intrusive ads for pornography and then demands a ransom to remove the messages from users’ browsers is frustrating the life out of some unlucky surfers.Anti-virus firm Symantec calls the threat minor and classifies containment and removal as “easy,” but that assessment doesn’t make users with infected computers feel much better.
Trojan.Ransompage, apparently created and distributed by Russian hackers, displays advertisements for pornography inside the browser on infected machines. The ads appear on every page a user visits, covering part of the content on the page, and they can’t be scrolled past. Making the situation even more vexing, the ads’ text is written in Russian, making them indecipherable for most people.
According to Symantec’s Fred Gutierrez, a rough translation reads, “If you installed an advertising module has been, but you have chosen to unsubscribe, you send the MC to short number specified below. Code allows you to remove the received news ticker. 1) Informer removed automatically after 30 days. 2) Free porn video archives. 3) Technical support service. To remove the informer, send SMS message with text [5-digit number] to number [4-digit number]. Enter the code, received in response, MC.”
In plainer English, the Trojan wants infected users to text a short code to a premium-rate telephone number, thereby paying for the remedy and subscribing to a porn site in the process. Although the price for neither service is mentioned, one would be justified in expecting it to be steep and recurring.
The Trojan, reportedly is injected via infected Web pages or delivered by other malware already resident on compromised systems. Ads appear in Internet Explorer, Opera and all versions of Firefox except the most recent (version 3.0.12).
Trojan.Ransompage is not the first extortion virus to hit the Web. Previous efforts, including Trojan.Ransomlock and Trojan.Ransomcrypt, have provided nasty little diversions like locking users out of their machines entirely or encrypting files until the victim pays off the extortionists. Unlike the previous versions, Trojan.Ransompage relies upon aggravation and embarrassment, not system usability, to convince victims to comply with the ransom demand.
Symantec provides removal instructions here: Preview.TinyURL.com/n6a7rc.