How to protect my computer from Trojan-Ransom (Winlock) using Application Control in Kaspersky Internet Security 2012?

Malware belonging to the Trojan-Ransom family is malware which blocks access to data stored on a computer and comprimises systems to demand a ransom. Such malware is used by cybercriminals to get money.

How to prevent infection

It is very important to secure computer protection against malware belongning to the Trojan-Ransom family. In order to secure computer protection, a user can use the Application Control component from Kaspersky Internet Security 2011. The component registers all actions performed by applications run in the system and controls them according to special rules. These rules control applications' access to system resources.

In order to secure your computer protection, it is required to create a rule that will control applications' access to some registry keys. It is recommended to create rules for the following registry keys:

1. *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
2. *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
3. *SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
4. *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
5. *\SOFTWARE\Policies\*
6. *\SOFTWARE\Policies\*\
7. *\SOFTWARE\Policies\*\*
8. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*
9. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\
10. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\*

In order to create rules for registry keys mentioned above, perform the following actions:

Step 1. Open the main application window.

Step 2. On the upper right hand corner of the main application window, click Settings.

Step 3. On the upper part of the Settings window, go to the Protection Center tab and then select Application Control.

Step 4. On the right hand part of the Settings window, click on the Identity protection button.

Step 5. On the Digital Identity Protection window on the Identity data tab, select All resources from the drop-down list.

Step 6. On the Identity data tab create a new category with the name AntiWinLock. In order to do this, perform the following actions:

1. On the Digital Identity Protection window, select the Identity data resource.
2. In the upper part of the Digital Identity Protection window, click the Add category button.
3. In the Identity data category window, enter AntiWinLock.
4. click the OK button.

Step 7. To make browsing more convenient click on the "-" icon for each category in the Digital Identity Protection window

Step 8. Select the AntiWinLock category.

Step 9. Add to the AntiWinLock category registry keys which are required to be controlled. In order to do so, perform the following actions:

1. On the upper left hand corner of the Digital Identity Protection window, click on the Add button.
2. From the drop-down menu that will open, select the Registry key item.

3. On the User resource window, enter the Name for the rule (it is not obligatory to enter the Name for the rule. When you select the required Path, the name will be specified automatically)
4. Enter the Path which will be controlled by Application Control. In order to do this, click on the Browse... button.
5. Perform the following actions:
• On the bottom part of the window Select registry object enter the following:
• In the Key field: *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• In the Value field: Shell
• Click on the OK button.
• On the User resource window, click on the OK button.

Perform the same actions for the rest resources:

2: in the Key field enter *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, in the Value field enter AppInit_DLLs

3: in the Key field enter *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the Value field enter Userinit

4: in the Key field enter *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\* (DO NOT enter any data in the Value field of this key. By default, the value "*" will be specified automatically)

5: in the Key field enter *\SOFTWARE\Policies, in the Value field enter *, in the User Resource window in the Name field enter Winlock.policies.Values

6: in the Key field enter *\SOFTWARE\Policies\*, in the User Resource window in the Name field enter Winlock.policies.Keys

7: in the Key field enter *\SOFTWARE\Policies\*, in the Value field enter *, in the User Resource window in the Name field enter Winlock.policies.Sub

8: in the Key field enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, in the Value field enter *, in the User Resource window in the Name field enter SafeBoot.Values

9: in the Key field enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*, in the User Resource window in the Name field enter SafeBoot.Keys

10: in the Key field enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*, in the Value field enter *, in the User Resource window in the Name field enter SafeBoot.Values.Sub

6. Once you have performed the actions described above, ten registry resources will be added to the AntiWinLock category and will be controlled by the Application Control component of Kaspersky Internet Security 2012.
7. Click on the OK button.

Step 10. On the left hand part of the Settings window, select the Application Control item.

Step 11. On the right hand part of the Settings window, click on the Applications button.

Step 12. In the Applications window, perform the following actions:

1. Select the Low Restricted folder.
2. On the upper left hand part of the Applications window, click on the Edit button.
3. On the Group rules window, go to the Files and system registry tab.
4. Find the AntiWinLock resource.
5. For the AntiWinLock resource the option Prompt for action is specified for the actions Read, Write, Delete and Create. Specify the Block option for the actions Read, Write, Delete and Create. In order to do this, perform the following actions:
• right-click the icon of the required action
• select Block from the context menu that will open
• click on the OK button in the Group rules window.

6. Perform the same actions described above with the High Restricted folder.

Do not configure the options for the AntiWinLock resource in the folders Trusted and Untrusted.

7. Block access of applications, which are not in the Trusted group, to change the Internet Explorer security options, the Internet Explorer security zones, the options of  the embedded Firewall. In order to do this, perform the following actions:
• On the Applications window, select the Low Restricted folder.
• On the upper left hand corner of the Applications window, click on the Edit button.
• On the Group rules window, go to the Files and system refistry tab.
• Specify the Block option for the Read, Write, Delete, Create actions of the Security settings resource. In order to do this:
• Right-click the required icon of the required action in the Security settings line.
• Select Block from the context menu that will open.
8. On the Group rules window, click on the OK button.

Step 13. On the Applications window, click on the OK button.

Step 14. On the Settings window, click on the OK button.

Step 15. Close the main application window.

After you have performed the actions mentioned above the access for the required registry keys will be blocked for applications which are not included to the Trusted group. Kaspersky Internet Security 2012 will block any log any dangerous actions.

	Useful references
	How to deal with malware belonging to the family Trojan-Ransom.Win32.Digitala