Kaspersky Lab is still monitoring malicious websites involved in the recent Japan spam campaigns.
Instead, the payload is now Ransomware (detected as Trojan-Ransom.Win32.PornoBlocker.jtg), disguising itself as a fake warning message from the German Federal Police. The message pretends that your computer has been blocked because it was found to be hosting child pornography.
Victims are asked to pay a 100 euros fine to unlock the machine.
As if the German police logo wasn’t enough, they also use logo from anti-virus companies such as Kaspersky Lab to look more convincing.
On successful exploitation, the malware hijacks the desktop to display the following warning:
The victim can no longer use their computer, unless they pay a 100 euros ransom. Here is a translation of the blackmail test:
An operation of illegal activities has been detected.
The operating system has been blocked in connection with violations of the laws of the
Federal Republic of Germany! Following violation was noted: Your IP address is
pages containing pornography, child pornography, bestiality and violence against children were visited.
Your computer also has video files with Pornographic content, elements of violence and child pornography!
There were also sent emails in the form of spam, with terrorist backgrounds.
This serves to lock the computer to stop your illegal activities.
[Computer related info]
To unlock the computer, you are obligated to pay a penalty of 100 Euro.
The payment must be made within 24 hours. If the payment is not made in the allotted time,
your hard disk will be irrevocably formatted (erased).
Payment is made by a Ukash coupon code in the amount of 100 Euro.
In order to be carried out the charge, please enter the purchased code into the payment box and
then press 0K (if you have multiple codes, enter this simply a sequence, then press OK)
Should the system report errors, you must send the code by email (removed).
After receipt of payment your computer within 24 hours re-opened.
The fake Federal German Police page is actually an html page embedded inside the malware executable.
Upon execution, the malicious program creates a new window with the TOPMOST attributes in order to stay above every running window. This window is used to display the content of the html file, through the use of OLE and the WebBrowser control.
A new threat is created in order to kill Task Manager and suspend Windows Explorer. Just before it actually does that, the malware takes over the default Windows shell inside the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) and replaces explorer.exe.
It then starts an infinite loop and tries to kill the “taskmgr.exe” process if found running, and also suspends “explorer.exe” every 100ms in order to block user interactions:
However, at the time of discovery the DNS involved was already disabled, leaving infected users’ computers unusable.
Kaspersky Lab continues to investigate this malware and will update the blog if more important information is discovered.
2011 Apr 14, 12:04
2011 Apr 14, 22:05
how to cleanse this Trojan.Ransom Fake Federal German Police (BKA)
2011 Apr 15, 21:50
Re: how to cleanse this Trojan.Ransom Fake Federal German Police (BKA)
2011 Apr 15, 22:19
OK, I finally managed to get rid of it!
2011 Apr 17, 01:45
I was able to do a system restore, which solved the problem for me. Choose "Safe Mode with Command Prompt" before Windows starts. When in Safe Mode, Start the Task Manager by pressing CTRL + ALT + DEL. Click on "File" in Task Manager and then "New Task (Run)". Type in "msconfig" and click on "Okay". When the System Configuration window appears, click on "Tools" and then launch System Restore.
2011 Aug 08, 13:02
It was impossible to log in , even in Safe Mode and Safe mode with command prompt: the screen showing always on TOPMOST the BKA lovely screen. XP and Win7 Rescue Disk unusable (only limited Recovery Console via Win7).
2011 Oct 28, 01:15
I need your help
2011 Nov 27, 23:01
FakePoliceAlert: Source code for sale
May that can interest some of you:
2011 Dec 02, 01:51
if this happens to you
if this happens to anyone els turn your pc/laptop off by holding the main switch for about 8 sec, turn it bk on and strait away press escape twice or more depending on ur modle go in to safe mode and just search system restore, set it to a few or two days earlyer and it will remove the peice of crap trojen good luck
2012 Mar 10, 17:59
I also had an encounter with this malware
I think it is a new version. It does not hide itself in the shell registry key anymore.
Edited by Duststorm, 2012 Mar 10, 19:52
2012 Mar 10, 23:17
Re: I also had an encounter with this malware
I also got infected but I've found a way to stop the 'blocking user input' part but I haven't found the core of the malware.
2012 Mar 11, 02:16
Re: Re: I also had an encounter with this malware
That is interesting information.
2012 Mar 11, 15:31
Re: Re: Re: I also had an encounter with this malware
I simply removed the 'kodak' folder in my roaming folder and apparently that was enough to stop the malware.
Edited by RobinD, 2012 Mar 11, 16:31
2012 Mar 16, 04:27
Re: Re: Re: Re: I also had an encounter with this malware
I had the kodak folder too, Hijackthis found the exe for me:
2012 Mar 24, 22:03
Re: System Restore
thanks for the tip...i did this system restore and it seems to have worked...for me it was a fake DUTCH police notice...