PornoBlocker – Trojan Ransomware (Jan 27, 2011)


SonicWALL UTM Research team received reports of a new variant of Trojan Ransomware seen in the wild. The Trojan locks down the system and asks the user to send money via premium SMS in Russia to receive the unlock code.

Process of Infection:

An unsuspecting user may download the Trojan from malicious websites. The screenshot below shows the Trojan using a movie icon.


Once installed, the Trojan will lock down the system by displaying the image below:


Below is the rough translation of the image:


    Your Operating System is blocked for violation of Internet usage.

    We discovered the following violations: visiting pornographic sites with elements of child porn, rape and bestiality. Storage of video files containing porn with presence of under-aged, rape, bestiality etc.

    Usage of pirated software.

    This block is intended to prevent the possibility of spreading this material over the internet.
    To remove this block you must:

    Replenish Beeline account number:
    For the amount of 400 rubles

    After the payment on your receipt you will find a code, which you should enter in the field below

    When your system is unblocked you must remove all the illegal materials from your device.


The Trojan alleged that the user engages in illegal activities and have in possession materials in violation of Internet usage causing the system lock down. The message of course is a scam and just the Trojan’s way to extort money from the user.

Interestingly, the unlock code is embedded in the malware and can be used to regain control of the system. Some of the unlock codes seen on different variants of this malware are the following:

  • 8875510
  • 8095147
  • 3796054

After unlocking the system, the malware will delete itself.


Drops a copy of itself:

  • %Windows% usrinit.exe – [ detected as GAV: PornoBlocker.DMQ (Trojan) ]

Registry Changes:

Modifies the registry entry below to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: Userinit
    Old Data: “C:WINDOWSsystem32userinit.exe,”
    New Data: “C:WINDOWSsystem32userinit.exe,” “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32usrinit.exe”

Other System Modification:

Terminates the following process:

  • Task Manager

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: PornoBlocker.DMQ (Trojan)
GAV: PornoBlocker.DMS (Trojan)
GAV: LockScreen.P (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.