How to deal with malware belonging to the family Trojan-Ransom.Win32.Digitala

Malware belonging to the family Trojan-Ransom.Win32.Digitala (Get Accelerator, Digital Access, Get Access, Download Manager v1.34) compromises systems to demand a ransom. Malware belonging to the family Trojan-Ransom.Win32.Digitala blocks access to the Internet and displays a message about breach of a license agreement. The message contains a demand to send a SMS with a certain code to a certain number in order to unblock access to the Internet.

A utility named Digita_Cure.exe which serves for elimination of malware belonging to the family Trojan-Ransom.Win32.Digitala (Get Accelerator, Digital Access, Get Access, Download Manager v1.34).

The utility works under x86 versions of Windows OS: 2000, XP, 2003, Vista, 2008, 7.
x64 versions of Windows OS are immune to malware belonging to the family Trojan-Ransom.Win32.Digitala.

Disinfection of an infected system:

1. Download the archive Digita_Cure.zip and extract it into a folder using an archiver program (WinZip, for example).
2. Execute the file Digita_Cure.exe. The utility Digita_Cure.exe has a graphical user interface.
3. Reboot the computer after the utility work is over.
4. Update Kaspersky Anti-Virus databases and run a full system scan.
   

The utility does the following:

1. It stops an active infection by scanning system memory for a running malicious program and removes it from the memory.
2. Deletes the trojan program from the system by stopping its service, removing it from autorun, etc.
3. Clears file system of passive malware.

The family Trojan-Ransom.Win32.Digitala has several types of blockers:

• Digital Access
• Get Accelerator
• Get Access
• Download Manager v1.34
• Ilite Net Accelerator

It is highly probable that the invader will be displaying messages in Cyrillic!

Please find the examples below:

• Digital Access
  
  
  
  

• Get Accelerator
  
  
  
  
  
• Get Access
  
  
  
  
  
• Download Manager v1.34
  
  

Signs of infection

• This malware can penetrate computers either through user's actions or silently:
  
  
• This malware can penetrate user computers through user's actions. For example, a user can initiate installation of an allegedly legal program claiming to be Digital Access. When such “disguised” program is run, it displays a license agreement. By agreeing with this license agreement, the user allow to infect the system.
  
  
  
  
  
  
  
• It can also invade without user's participation with aid of other malicious programs (Get Access) by self-downloading and performing a silent installation.
  
  
• It will then display a message demanding to send a SMS in order to receive an activation code which would permit to activate the installed software.
• The message may be displayed immediately or within 6 hours.
  
  
  
  
• Within 5 minutes after displaying that message, the malware will force a PC reboot and block access to the Internet.
• It will create a new folder named {ffffffff-F03B-4b40-A3D0-F62E04DD1C09} in the system registry (path HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->Current Version->Uninstall) containing uninstaller path.
• The value of the variable "UninstallString" is srored in the field Data.
  
  
  

How this malicios program invades a system:

• installation of a hidden service (its file can be found in C:\Windows\System32);
  
• installation of a rootkit to hide its files (its file can be found in C:\Windows\System32). A rootkit is a program or a suite of programs designed to obscure the fact that a system has been compromised.
• deletes its installer;
• sends a report (about installation, activation, and deactivation) to the owner's server;
• if there is no network or network has a specific configuration, the malicious program fails to install in the system, outputs an error and deletes its installer.

How to receive a copy of the malicious program on an infected system:

• open the command line console:

• in Windows XP: go to Start > Run, type in cmd and press Enter;
• in Windows Vista / 7: type cmd in the Start Menu box area and press Enter;

• type the following command in the command line prompt: copy<value of the variable "UninstallString" without arguments> (without quotes). For example:
  
  copy%systemroot%\Installer\ffffffff-F03B-4b40-A3D0-F62E04DD1C09\userinit.exe
  
  
• 
  virus copy will be saved in the current folder.
  
  

It is necessary to submit a query to the Technical Suuport Service by filling the HelpDesk web form having attached a copy of the virus to the query.


Destructive effects:

• consumes a great amount of space on the desktop
• disables Internet access (certain versions)

How to desactivate the malicious program:

• Start the uninstaller

• in Windows XP: go to Start > Run, type in the value of the variable "UninstallString" and press Enter;
  
  
• in Windows Vista / 7: type cmd in the Start Menu box area and press Enter, type in the value of the variable "UninstallString" and press Enter.
  
  
  
• A dialog box will be displayed (within a few seconds) prompting to confirm uninstallation.
  
  
  
  Since the dialog box is obstacled with a window asking for "ransom", you should do the following:
  
  
• open Windows Task Manager (press Ctrl+Alt+Del simultaneously)
• open the menu Options and check the option Always on Top
  
  
  
  
• right-click the task Uninstallation (the one referring to the malicious program) and select Maximize.
  
  
  
  
  
• Click Yes in the Uninstallation dialog box.
• Reboot the PC.