Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Some Trojan:W32/Ransom variants require users to perform manual removal to completely remove the malware from the system:
For Windows XP systems
For Windows Vista and 7 systems
Trojan:W32/Ransom is considered Ransomware, as it prevents normal usage of the infected machine and demands monetary payment supposedly to restore normal use. The malware has been reported to target users in a number of European countries, most notably Germany, France, Spain and Finland. This malware was also covered in our Labs Weblog blogpost:
Multiple variants of this trojan have been found thus far. The variants are also detected by a number of Generic Detections, based on its behavioral characteristics.
Note: for specific variants, users may need to perform manual removal in order to completely remove the trojan. See Disinfection above for further details.
On execution, the trojan moves the legitimate file '\explorer.exe' to a variable location, with the name '\twexx32.dll', then saves a copy of itself to the original '\explorer.exe' location.
The trojan then makes its ransom demand by displaying language-specific images appropriate to the user's locale, determining which image should be displayed by a geolocation query. Screenshots of some of the images displayed by the trojan are shown below. English translations of the German and French warning texts are also provided below.
Needless to say, though these warnings claim to be from the German 'Bundespolizei', the French 'Gendarmerie Nationale' or the non-existent Finnish Information Networks Crime Unit 'Tietoverkkorikosten tutkinnan yksikkö', they are fake.
Unfortunately, even if the user does accede to these demands, no fix is performed; the computer remains inaccessible. Instead, users may use an antivirus product to remove the trojan from their machine.
Image 3: Trojan:W32/Ransom's Finnish-targeted demand