English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Ransomware: Fake Federal German Police (BKA) notice

Nicolas Brulez
Kaspersky Lab Expert
Posted March 24, 14:42  GMT
Tags: Ransomware
0.6
 

Kaspersky Lab is still monitoring malicious websites involved in the recent Japan spam campaigns.

For those who may have missed the two first blogs, you can read them here and here However, today we discovered than some of the payloads were not the usual Trojan-Downloader.Win32.CodecPack.*.

Instead, the payload is now Ransomware (detected as Trojan-Ransom.Win32.PornoBlocker.jtg), disguising itself as a fake warning message from the German Federal Police. The message pretends that your computer has been blocked because it was found to be hosting child pornography.

Victims are asked to pay a 100 euros fine to unlock the machine.

As if the German police logo wasn’t enough, they also use logo from anti-virus companies such as Kaspersky Lab to look more convincing.

On successful exploitation, the malware hijacks the desktop to display the following warning:


The victim can no longer use their computer, unless they pay a 100 euros ransom. Here is a translation of the blackmail test:


Attention!

An operation of illegal activities has been detected.

The operating system has been blocked in connection with violations of the laws of the

Federal Republic of Germany! Following violation was noted: Your IP address is with this IP,

pages containing pornography, child pornography, bestiality and violence against children were visited.

Your computer also has video files with Pornographic content, elements of violence and child pornography!

There were also sent emails in the form of spam, with terrorist backgrounds.

This serves to lock the computer to stop your illegal activities.


[Computer related info]


To unlock the computer, you are obligated to pay a penalty of 100 Euro.

The payment must be made within 24 hours. If the payment is not made in the allotted time,

your hard disk will be irrevocably formatted (erased).

Payment is made by a Ukash coupon code in the amount of 100 Euro.

In order to be carried out the charge, please enter the purchased code into the payment box and

then press 0K (if you have multiple codes, enter this simply a sequence, then press OK)

Should the system report errors, you must send the code by email (removed).

After receipt of payment your computer within 24 hours re-opened.



Technical details:


The fake Federal German Police page is actually an html page embedded inside the malware executable.

Upon execution, the malicious program creates a new window with the TOPMOST attributes in order to stay above every running window. This window is used to display the content of the html file, through the use of OLE and the WebBrowser control.

A new threat is created in order to kill Task Manager and suspend Windows Explorer. Just before it actually does that, the malware takes over the default Windows shell inside the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) and replaces explorer.exe.

It then starts an infinite loop and tries to kill the “taskmgr.exe” process if found running, and also suspends “explorer.exe” every 100ms in order to block user interactions:



The result is a suspended Windows Explorer, no way to run the Task Manager, and the topmost window displaying a web page. Inside this html page, there is Javascript - used to send the entered Ukash coupon code to a remote server.

However, at the time of discovery the DNS involved was already disabled, leaving infected users’ computers unusable.

Kaspersky Lab continues to investigate this malware and will update the blog if more important information is discovered.


17 comments

Oldest first
Table view
 

neozell

2011 Apr 14, 12:04
0
 

Hi,
Is Kaspersky now able to treat this virus?
My PC got infected by this very virus yesterday, and I am not able to get rid of it...

Reply    

I Parama

2011 Apr 14, 22:05
0
 

how to cleanse this Trojan.Ransom Fake Federal German Police (BKA)

Hi Everyone,

Thanks to Nicolas who started this discussion. My notebook get infected today and made me panic because I can not use my notebook again just like NeoZell.

So I did some research and found a useful solution in the following URL:
http://xylibox.blogspot.com/2011/04/trojanransom-fake-federal-german-police.html

Manual remove:
1) Restart your pc
2) Before the Windows XP splash screen, press the F8 key to enter the Windows Advanced Options Menu and choose: Safe Mode With Command Prompt
3) Type 'regedit' in the console and go here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4) Find the key 'Shell' and replace the value by 'explorer.exe'
5) Reboot your pc.

Before I tried the solution there I manage to make my windows reboot in safemode. But, it was a mistake actually, because when you are in safemode it is more difficult to get Task Manager to work. It is easier to make Task manager work in normal mode.

Finally after some trials I manage to make the Task manager working and follow the instruction on above web site to fix the problem.
How I do it is by keep pressing CTRL+ALT+DEL several times until the Task manager windows appear and I manage to run regedit.

So, you do need to be patient and repeat several times.
This virus is just annoying as it change your first screen as you log in.

All the best and I hope you can make your computer working again.

Reply    

neozell

2011 Apr 15, 21:50
0
 

Re: how to cleanse this Trojan.Ransom Fake Federal German Police (BKA)

Hi,
Thanks a lot, iParama.
I tried your tip, but it actually turns out that in my case, the value entered in the key "Shell" is already "explorer.exe".
Thus, I don't know where did the trojan modified a key.
Guess I'll have to look further, I'll let you know if I find something...
Cheers.

Reply    

neozell

2011 Apr 15, 22:19
1
 

Got it!

OK, I finally managed to get rid of it!
Actually, as the page appeared when Windows started, there was a popup telling that a script could not be executed. Since the adress was indicated, I could easily delete the files through the safe mode.
It was actually much more easier than what I was trying to do :)
Anyway, thanks again for your precious help!

Reply    

john terry

2011 Apr 17, 01:45
0
 

System Restore

I was able to do a system restore, which solved the problem for me. Choose "Safe Mode with Command Prompt" before Windows starts. When in Safe Mode, Start the Task Manager by pressing CTRL + ALT + DEL. Click on "File" in Task Manager and then "New Task (Run)". Type in "msconfig" and click on "Okay". When the System Configuration window appears, click on "Tools" and then launch System Restore.

Reply    

jumpinetto

2011 Aug 08, 13:02
0
 

Long Processes

It was impossible to log in , even in Safe Mode and Safe mode with command prompt: the screen showing always on TOPMOST the BKA lovely screen. XP and Win7 Rescue Disk unusable (only limited Recovery Console via Win7).

Downloaded Avira Rescue disk, http://www.avira.com/en/support-download-avira-antivir-rescue-system

Burned the image on the CD

Boot from Avira CD, and Ask to Delete Infected/Suspicious , found the Trojan Horse in [TR/Ransom.DI.18] /media/Devices/sda2/Documents and Settings/fabriziot/Local Settings/Temporary Internet Files/Content.IE5/W16F41YN/calc[1].exe <<< Is the Trojan horse TR/Ransom.DI.18.

Delete It!

Reboot and the screen is finally Blue! Runned Task manager, modify the registry as I Parama, System Restore as John Terry.

Got it back and running.

Thanks all, I hope this will Help

Reply    

ganeshch

2011 Oct 28, 01:15
0
 

I need your help

Dear Neozell,

I need your help. As in your case, my shell also shows explorer.exe
Unlike you, it is not showing any pop up. So I do not know where to
go for and delete the code or link. Please help me.

Reply    

Steven K

2011 Nov 27, 23:01
0
 

FakePoliceAlert: Source code for sale

May that can interest some of you:
http://xylibox.blogspot.com/2011/11/fakeavfakepolicealert-source-code-for.html

Reply    

leeleebobins

2011 Dec 02, 01:51
0
 

if this happens to you

if this happens to anyone els turn your pc/laptop off by holding the main switch for about 8 sec, turn it bk on and strait away press escape twice or more depending on ur modle go in to safe mode and just search system restore, set it to a few or two days earlyer and it will remove the peice of crap trojen good luck

Reply    

Duststorm

2012 Mar 10, 17:59
0
 

I also had an encounter with this malware

I think it is a new version. It does not hide itself in the shell registry key anymore.
To catch it I used the sysinternals process explorer procexp (http://technet.microsoft.com/en-us/sysinternals/bb896653). It's an advanced task manager that is not closed by the malware. (another solution is to copy your task manager and give it another name)
Using procexp I was able to track down which process was holding the window blocking the desktop.
In my case it was "C:\Windows\SysWOW64\svchost.exe" but it's possible the virus is located in a random file in sysWOW64. What's even more disturbing is that it uses existing windows process filenames, so it's even harder to find and windows doesn't let you remove those files. When examining the file's properties, it still contained Windows metadata, but it's origin could not be verified (it's not signed by microsoft?).
To get around the window blocking your desktop you can trick it using a multiple monitor setup and trying to open some windows before it gets a change to start. Just log out and log in again, press windows-key+R and start a program like "regedit" as quickly as you can before the malware turns up. This worked for me after a few tries.

Looking for the offending executable in the registry I found an entry of it in HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

EDIT: whoops, of course that is the executable running services. The malware probably started itself as a windows service within it. (I haven't been using windows a lot in a long time)
Let's see if I can find out the real cause.

After some more examining it seams this svchost has become hijacked and shows the malware window. Using the svchost viewer I tried to examine to svchost instance with the right pid, but both process explorer and svchost viewer don't show any children for it. Either this executable is replaced by malware, or it is configured to run a malware service that blocks it from starting any other services.

Guess I'll have to do a scan for ServiceDll entries in the registry and find the abusive dll.

Edited by Duststorm, 2012 Mar 10, 19:52

Reply    

RobinD

2012 Mar 10, 23:17
0
 

Re: I also had an encounter with this malware

I also got infected but I've found a way to stop the 'blocking user input' part but I haven't found the core of the malware.

After some searching (in safe-mode) I found a map called 'kodak' in mij roaming map (C:\users\username\AppData\Roaming) with a text file and a picture in it. The textfile contained my IP-address and the picture was the same picture that 'fullscreened' itself after logging in.

I deleted that folder and rebooted my computer in normal-mode. And apparently that stopped the malware from preventing me to use my computer.

Again, I do not know where the rest of that filthy malware is hiding but it is a temporary solution.

I hope I could help, I made an account especially to tell you guys. :)

Reply    

Duststorm

2012 Mar 11, 02:16
0
 

Re: Re: I also had an encounter with this malware

That is interesting information.
Could you explain how you make it stop blocking user input?

As I told before I traced the source back to svchost.exe in SysWow64, because in my case it was on a 64 bit Windows 7 (and the virus is probably 32 bit). On a 32 bit machine it would probably run in a svchost executable on another location.

I still don't know where the executable part of it is located but I see two options:
- it has nested itself WITHIN svchost.exe (and so destroyed it), which could explain why the service is not showing any other processes.
- it is loaded as a service by svchost, but tries to hide itself in it by not becoming a sub thread (maybe the interface of svchost expects services to fork themselves and the virus doesn't do that, making the svchost program block so it doesn't start any other threads) In this case the virus will probably be some DLL file.

Anyway I find it rather strange that a service is able to create a graphic window. To me that doesn't seem like a sensible architectural decision.

I collected all service dll entries from the windows registry, but nothing jumped out as very suspicious to me. It's really looking for a needle in a haystack if you don't know what you're looking for.

Up to this moment none of my virusscans detected it. I did another full scan with AVG and scanned using a linux live cd containing ClamAV, Avira and BitDefender. I also submitted the svchost to a few virusscans online and none found an answer (of course it could be a different file)

At the moment just renaming svchost.exe to something else worked, but I have no idea which services I might be missing now.

Reply    

RobinD

2012 Mar 11, 15:31
0
 

Re: Re: Re: I also had an encounter with this malware

I simply removed the 'kodak' folder in my roaming folder and apparently that was enough to stop the malware.

It looks like the program or whatever that calls this folder crashes because I deleted it. Unfortunately that's all I know.

EDIT:
After starting up my computer again (it was in sleep) the pop-up didn't show anymore like I said earlier but I hadn't tested any further.
Now I did and apparently the malware is still running and blocking everything. So the only thing I succeeded in was removing the pop-up.

EDIT2:
Sorry for the editing but I just rebooted my computer again and now everything runs normal. No blocking, no pop-ups.
Yesterday I did a complete scan of my computer with AVG but it didn't find anything. Still waiting for some sort of fix for this...

Edited by RobinD, 2012 Mar 11, 16:31

Reply    

Gniarf

2012 Mar 16, 04:27
0
 

Re: Re: Re: Re: I also had an encounter with this malware

I had the kodak folder too, Hijackthis found the exe for me:
C:\ProgramData\Local Settings\Temp\msaofpuo.exe
called through HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

I'll make the assumption that this exe+the kodak folder+reg key = the whole virus.

Reply    

anthony

2012 Mar 24, 22:03
0
 

Re: System Restore

thanks for the tip...i did this system restore and it seems to have worked...for me it was a fake DUTCH police notice...

Reply    

kmarkel108

2014 Apr 02, 13:55
0
 

Ransomware's effect on ukash

I have been facing problems while making online payments why
ukash card.. I was reading somewhere that ransomware might be the reason for this... please tell me in detail about it...

Reply    

Nathen

2014 Apr 07, 00:18
0
 

Please help me!

I just got a page from http://www.goodpolice-state.info/exterior.html
that I violated the law for child pornography, which is not true.
though it was porn, it was not child porn...

it says I have to pay CHF150 franc within 48 hours via paysafecard.
it says if I don't pay or put down the PIN number correctly I will be prosecuted for fraud.

I was panicking and I tried to revisit the page. but when I did that, it does not appear any more, but a porn site:0

Could you please tell me whether this is a fake one?
what they said on the page sounded so real...
it also had sponsor logos from Netto and etc.

thanks alot!

p.s. and if you know... what would it say if it was a real German government site?

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog