• From: Germany
  • Registered: 2011-08-16
  • Posts: 9
  • User Karma: 6

Topic: New variant of BKA trojan (FakePoliceAlert/Ransomware)

This trojan blocker prevents all software execution. The fake warning message pretends that your computer has been blocked because you brought german law. Victims are asked to pay a 250 euros fine to unlock the machine.

I named this variant 'BRD-Trojaner' because there's no BKA (Federal Criminal Police Office) or Bundespolizei (German Federal Police) logo used.

Screenshot: [Register or log in to view the URL]


Download:
[Register or log in to view the URL]
PW: evild3ad.com

+1

  • Registered: 2011-11-30
  • Posts: 1
  • User Karma: 1

Re: New variant of BKA trojan (FakePoliceAlert/Ransomware)

Very much thanks for the binary !

The binary itself seems packed with UPX, but simply unpacking seems not to work - maybe it scans for a Debugger attached ?

But I've created a Procmon Log and so I could verify that the Virus replaces 'C:\windows\explorer.exe' and 'C:\windows\system32\dllcache\explorer.exe' with itself. The computer can be booted in Safe Mode (with Command Line - simple Windows Safe Mode loads explorer.exe and so fails) and you can start c:\windows\system32\restore\rstrui.exe to recover explorer.exe.

Looking a little bit closer at the procmon File reveals that the Virus safes explorer.exe.
It's simply copied to 'C:\windows\twexx32.dll'.
After creating twexx32.dll the Timestamp of it is changed to '14.04.2008 13:00:00'.

I think it's all clear on the attached screenshot.
The second File is Procmon Log.

I haven't analyzed the Logfile to the end, if someone want's to do so ...
It also seems that the Virus ist known as 'Trojan:Win32/Ransom.FL', see here:
[Register or log in to view the URL]

Thomas

Last edited by Die Schatzjäger (2011-12-01 20:06:54)

Post's attachments

bkatrojaner_procmonlog_firststart.PML.zip 1.63 mb, 14 downloads since 2011-12-01 

explorer_ersetzen.jpg 240.01 kb, file has never been downloaded. 

You don't have the permissions to download the attachments of this post.

+1

  • Registered: 2010-06-06
  • Posts: 6
  • User Karma: -1

Re: New variant of BKA trojan (FakePoliceAlert/Ransomware)

Die Schatzjäger wrote:

Very much thanks for the binary !

The binary itself seems packed with UPX, but simply unpacking seems not to work - maybe it scans for a Debugger attached ?

But I've created a Procmon Log and so I could verify that the Virus replaces 'C:\windows\explorer.exe' and 'C:\windows\system32\dllcache\explorer.exe' with itself. The computer can be booted in Safe Mode (with Command Line - simple Windows Safe Mode loads explorer.exe and so fails) and you can start c:\windows\system32\restore\rstrui.exe to recover explorer.exe.

Looking a little bit closer at the procmon File reveals that the Virus safes explorer.exe.
It's simply copied to 'C:\windows\twexx32.dll'.
After creating twexx32.dll the Timestamp of it is changed to '14.04.2008 13:00:00'.

I think it's all clear on the attached screenshot.
The second File is Procmon Log.

I haven't analyzed the Logfile to the end, if someone want's to do so ...
It also seems that the Virus ist known as 'Trojan:Win32/Ransom.FL', see here:
[Register or log in to view the URL]

Thomas


Nice Share Friends...