VX Heavens forum - New variant of BKA trojan (FakePoliceAlert/Ransomware)

Re: New variant of BKA trojan (FakePoliceAlert/Ransomware)

dummy@example.com (debojyotip) — Mon, 26 Dec 2011 18:35:56 +0000

Die Schatzjäger wrote:

Very much thanks for the binary !
The binary itself seems packed with UPX, but simply unpacking seems not to work - maybe it scans for a Debugger attached ?
But I've created a Procmon Log and so I could verify that the Virus replaces 'C:\windows\explorer.exe' and 'C:\windows\system32\dllcache\explorer.exe' with itself. The computer can be booted in Safe Mode (with Command Line - simple Windows Safe Mode loads explorer.exe and so fails) and you can start c:\windows\system32\restore\rstrui.exe to recover explorer.exe.
Looking a little bit closer at the procmon File reveals that the Virus safes explorer.exe.
It's simply copied to 'C:\windows\twexx32.dll'.
After creating twexx32.dll the Timestamp of it is changed to '14.04.2008 13:00:00'.
I think it's all clear on the attached screenshot.
The second File is Procmon Log.
I haven't analyzed the Logfile to the end, if someone want's to do so ...
It also seems that the Virus ist known as 'Trojan:Win32/Ransom.FL', see here:
[Register or log in to view the URL]
Thomas

Nice Share Friends...

Re: New variant of BKA trojan (FakePoliceAlert/Ransomware)

dummy@example.com (Die Schatzjäger) — Thu, 01 Dec 2011 18:05:24 +0000

Very much thanks for the binary !

The binary itself seems packed with UPX, but simply unpacking seems not to work - maybe it scans for a Debugger attached ?

But I've created a Procmon Log and so I could verify that the Virus replaces 'C:\windows\explorer.exe' and 'C:\windows\system32\dllcache\explorer.exe' with itself. The computer can be booted in Safe Mode (with Command Line - simple Windows Safe Mode loads explorer.exe and so fails) and you can start c:\windows\system32\restore\rstrui.exe to recover explorer.exe.

Looking a little bit closer at the procmon File reveals that the Virus safes explorer.exe.
It's simply copied to 'C:\windows\twexx32.dll'.
After creating twexx32.dll the Timestamp of it is changed to '14.04.2008 13:00:00'.

I think it's all clear on the attached screenshot.
The second File is Procmon Log.

I haven't analyzed the Logfile to the end, if someone want's to do so ...
It also seems that the Virus ist known as 'Trojan:Win32/Ransom.FL', see here:
[Register or log in to view the URL]

Thomas

New variant of BKA trojan (FakePoliceAlert/Ransomware)

dummy@example.com (evild3ad) — Tue, 29 Nov 2011 15:38:00 +0000

This trojan blocker prevents all software execution. The fake warning message pretends that your computer has been blocked because you brought german law. Victims are asked to pay a 250 euros fine to unlock the machine.

I named this variant 'BRD-Trojaner' because there's no BKA (Federal Criminal Police Office) or Bundespolizei (German Federal Police) logo used.

Screenshot: [Register or log in to view the URL]

Download:
[Register or log in to view the URL]
PW: evild3ad.com