We recently came across a ransom trojan that prompts the following:

“Windows license locked!“

The trojan claims that “you should complete activation” and provides several phones numbers.

The numbers:

  •  002392216368
  •  002392216469
  •  004525970180
  •  00261221000181
  •  00261221000183
  •  00881935211841

The trojan claims that the call is “free of charge” but it isn’t, and the trojan author will earn money from the call via a technique known as short stopping.

After three minutes or so, the caller is given this unlock code: 1351236.

The unlock code appears to be the same every time the number is called.

It’s a pretty clever bit of social engineering and some victims many never even realize that they’ve been scammed.

Here’s a video demonstration on the Labs YouTube channel, which also includes some discussion of other ransom trojans.

The GPcode screenshots referenced in the video can be seen here and here.

We detect this trojan (md5: 9a6f87b4be79d0090944c198a68012b6) as Trojan.Generic.KDV.153863.

A full audio recording of our call to the ransom number is here (MP3, 4 minutes).

On 11/04/11 At 02:57 PM

• Fake video Trojan makes the rounds
  Our HoneyPot caught this Trojan video-shares.in/flash_player.exe. Doing a search on the URL you will notice that there are many infected users already that are retweeting the malicious link: And not j...
• Bizarre phone ransom Trojan found by researchers
  Researchers have discovered a bizarre piece of Trojan ransomeware which disables programs on infected PCs before demanding victims make an unaccountably small payment to a Ukrainian mobile phone netwo...
• “Download photoalbum” another variant of “i got u surprise”
  Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ...
• The SMSer Trojan returns as fake browser
  We have seen many fake security products and fake disk utilities targeting the windows platform. Of late, we have started observing an increasing trend in mobile platform too. Following on the heels o...
• Security firm founder Kaspersky’s son reportedly kidnapped in Russia
  Several news services are reporting that the son of Eugene Kaspersky, founder of the Moscow-based security firm Kaspersky Labs, has been kidnapped for ransom in Russia. The reports, including one f...
• Fake AV? We are not amused
  The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the "Big Day". As a result, you might want to think twice before looking fo...
• Lab Matters – Dissecting the Banking Malware Problem
  Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web....
• Doctor Who calling-on Skype, with malware
  Earlier this week, I received a phone call via Skype on my laptop, the caller's ID was "dralerthelpzc8" as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise no...
• KB2506014 kills TDL4 on x64
  Not so long ago, Microsoft released a security patch addressing the way Windows x64 operating systems check integrity of the loaded modules. In our recent report (The Evolution of TDL4: Conquering x64...
• New Android.Spy modification turns smart phones into zombies
  Doctor Web-the Russian anti-virus vendor-unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan...