A new Trojan tries to extort money from users by convincing them to dial international telephone numbers to reactive Windows, a security researcher said today.
Once on a PC, the malware displays a message claiming that Windows is "locked" and must be reactivated, said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure. Users seeing the message cannot boot Windows in either normal or Safe mode, Hypponen said.
"This copy of Windows is locked. You may be a victim of fraud or there may be an internal error," the message states.
New 'ransomware' claims Windows needs to be reactivated. Image courtesy of F-Secure.
To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.
"The call from your country is free of charge," the second message alleges.
Not even close.
"They pretend to be Microsoft," said Hypponen, adding that the telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.
F-Secure is trying to determine the location of the call center.
The scammers make money through what Hypponen called "short stopping," the practice of billing a call at a rate higher than the actual destination.
"The numbers are operated by rogue operators and lead to [countries with] very expensive phone rates, like the Dominican Republic or Somalia," Hypponen said in an interview Monday. "But the numbers actually end up in much cheaper countries. They charge you the full price.... That's how they make money."
F-Secure has seen that money-making mechanism used before in a Windows Mobile Trojan horse that secretly dialed international numbers to rack up charges via short stopping.
But it's new in "ransomware," the term describing malware that tries to extort a payment in return for returning control of the computer or its files to the owner.
"Ransomware makers come up with a new payment mechanism every time one is shut down," said Hypponen. One of the most prevalent pieces of ransomware, "GPcode," told victims to use a pre-paid credit card, an avenue that has since been blocked.
Extortion software like GPCode and the newest Trojan are not only booming, but present a clear danger to users, Hypponen argued.
"For the end user, most of the damage by malware is transient," he said. "If you're infected by a bot Trojan, your PC may send out lots of spam, but if anything, that slows down your PC only a bit. Even keyloaders, if they get ahold of your credit card, you don't actually lose money because you can get it back. But ransomware is bad news, because the PC is unusable or all your files are encrypted."
The solution to ransomware is to either fork over the payoff or roll back the PC to a prior backup, assuming one is available, said Hypponen,
Or in this case, enter the code F-Secure said was delivered by the call center, no matter what number is dialed.
That unlock code: 1351236.
"I hate the idea of paying money to these clowns," said Hypponen. "Just enter that code."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .
Read more about security in Computerworld's Security Topic Center.