TROJ_RANSOM.QOWA

This trojan uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it disables functionality of the compromised computer so that victims are forced to dial a premium-rate SMS number. It displays a message and prevents users accessing their desktops and applications after which users are forced to provide the required ransom by dialing the premium-rate SMS number displayed on the screen. This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It modifies registry entries to enable its automatic execution at every system startup.


The Trojan drops itself in the folder

• %System%\usrinit.exe 
• C:\Windows\System32 in windows Xp 

This Trojan modifies the following registry entries to ensure it automatic execution at every system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = %System%\userinit.exe,%System%\usrinit.exe

Removal:Step 1:  Disable System Restore
Step 2: open recovery console by inserting the windows Xp installation CD and press 'R' to repair the system
Step 3: Go to the folder where windows folder is residing usually C:
Step 4: Type del %System%\usrinit.exe ,type Exit and enter
Step 5: Change the registry value in this

1. HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon

Userinit = %System%\userinit.exe,%System%\usrinit.exe to Userinit = %System%\userinit.exe,
Close the registry editor.

Scan your computer with a good anti-virus program to remove the leftovers of the threat.