Police Central e-crime Unit Virus (ransomware)

Police Central e-crime Unit Virus

An interesting looking infection I stumbled upon recently. As soon as Windows boots, the above message would be displayed full screen, without any way to close it. Task manager and other Windows features were disabled. Owner of this laptop, obviously not very IT literate, was pretty concerned, not sure whether the message was genuine or not.

This is full text of the message:

Your PC is blocked due to at least one of the reasons specified below.

You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal code of Great Britain.

Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.

You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofilia and etc). Thus violating article 202 of the Criminal Code of Great Britain.

Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.

Illegal access to computer data has been initiated from your PC, or you have been…

Article 208 of the Criminal Code provides for a fine of up to £100,000 and/or a deprivation of liberty for four to nine years.

Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of £2,000 to £8,000.

Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without your knowledge, your PC may be infected by malware.

Article 212 of the Criminal Code provides for a fine of up to £250,000 and a deprivation of liberty of up to six years. In case this activity has been effected without your knowledge, you fall under the abovementioned article 210 of the Criminal Code of Great Britain.

Your personality and address are currently being identified, a criminal case is going to be initiated against you under one or more articles specified above within the next 72 hours.

Pursuant to the amendment to the Criminal Code of Great Britain of May 28, 2012, this law infringement (if it is not repeated – first time) may be considered as conditional in case you pay the fine to the State.

Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!

The amount of fine is £100. You can pay a fine Ukcash or PaySafeCard.

When you pay the fine, your PC will get unlocked in 1 to 72 hours after the money is put into the State’s account.

Luckily this wasn’t particularly sophisticated malware. This is how it can be removed:

  • On another computer download Spybot – Search and Destroy (free for private use) including offline detection updates.
  • Boot infected machine into Safe Mode (press F8 when computer starts for boot menu).
  • Using Flash drive or CD transfer Spbot – Search and Destroy and detection updates to the infected computer and install both.
  • Run full computer scan (this can take a while). Fix all found issues.
  • If prompted, reboot the computer and let the scan to run again on boot. Fix all found issues again.

This cleaned actual infection, but the following RunDLL error message was now shown after startup:

Error loading C:\Users\<username>\AppData\Local\Temp\update00.b.exe

Obviously there was still something in startup entries trying to launch now non existent malware. Looking into startup items via msconfig didn’t reveal anything suspicious.

On a more close inspection I found that startup entry trying to launch update00.b.exe file was hidden in a legitimate ctfmon shortcut in user’s Startup folder. Ctfmon.exe normally is a legitimate part of MS Office (Alternative User Input Text Input Processor).

Ctfmon.exe in Startup folder

The shortcut text has been changed to:
%systemroot%\system32\rundll32.exe C:\Users\<username>\AppData\Local\Temp\update00.b.exe,FQ10

Ctfmon.exe Properties

Removing the shortcut from the startup folder resolved the error.

08.2012
Windows Vista Home Premium


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *