Tuesday, 3 May 2011
Trojan.Ransom Fake Federal German Police (BKA) notice variante
This trojan blocker ( MD5: dcc4501e3348c4665391ff126d7c2fb1 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.
According to VirusTotal this sample is detected by just 1 Antivirus: http://www.virustotal.com/file-scan/report.html?id=6936ad765d92f29e6f0db79aec572f62578a4f36db213ee8e5bc893b4683f421-1304434982
Unfortunately, like the previous version, the unlock code is not stored inside, there is no way to get it with reverse engineering.
And now the escrow accept paysafecard... (Oldest versions have only one way to pay: Ukash)
1) Restart your pc
2) Before the Windows XP splash screen, press the F8 key to enter the Windows Advanced Options Menu and choose: Safe Mode With Command Prompt
3) Type 'regedit' in the console and go here:
4) Find the key 'Shell' and replace the value by 'Explorer.exe'
5) Reboot your pc.
Fake BKA notice on the past:
Trojan.Ransom Fake Federal German Police (BKA) notice