[Introduction] Metropolitan Police Ukash Virus

[TheDarkestHour]

Hello everyone,

I am still not aware if people here have knowledge of the virus known as Ukash Virus. It just blocks the computer and won't let you do anything else until you pay 100€.
It is very realistic. All the logos, forms and text are well-structured and it even offers you a Paypal option to pay.

As an expertized IT technician, I've received dozens of machines suffering from this malware and I've successfully tracked and purged it until now.

However, one thing keeps me in doubt about it. If I remove the network connection, it just shows a message stating "Please wait while the connection is being established..."

Then that means whoever developed the virus had to build a server to host its information. Could the virus just be a browser that only directs to that server's url? Could there be any way to track where the client virus is connecting to using the virus itself?
These are just questions, but this specific malware has caught me enough attention.

[LoGiCaL__]

I'm guessing it's windows. A little more info would be nice. Have you tried messing with the pc in safe-mode? Checking to make sure it's not configured to go to a proxy? Have you also gave any scanners a shot?

[TheDarkestHour]

I'm guessing it's windows. A little more info would be nice. Have you tried messing with the pc in safe-mode? Checking to make sure it's not configured to go to a proxy? Have you also gave any scanners a shot?

Virus type: Ransomware


One thing I didn't mention is that the virus is spread to the point that each european country has its own version of the virus.
The latest version of the virus has been released in my country a few weeks ago and it really gives me a headache to remove it.

It has an On-screen keyboard to type your banking information and also displays your IP. Good social engineering attempt though.

The virus starts up automatically in all safe-modes. However, it logically establishes connection when I choose safe-mode with networking.

The virus did NOT modify any proxy settings until now.

It is impossible to use scanners as it blocks the machine from doing anything else. I had to manually search the entire system for the directory the virus hosted in (For Vista/7, it's located in C:\Users\USER_NAME\AppData\Local) and it has silly names such as Game.exe and ServiceVBOX.exe.

The only way to permanently purge it is to use Polifix and ComboFix. After that I was finally allowed to give MalwareBytes a try. It reported back Trojan.Ransom.Gimemo, Trojan.LockScreen & Trojan.Matsnu.

Seeing as this virus spreads up, millions of infected machines are probably connecting to the same server and I wonder how it keeps up.

[LoGiCaL__]

Combofix is ownage in a box. It usually comes through and runs pretty quick. It's interesting that the virus runs in safe-mode. You may also want to give hirensboot cd a shot http://www.hirensbootcd.org/download/ start mini-windows xp and see if you can scan the hard drive that way.

[TheDarkestHour]

Scanning the system with Mini XP detects and deletes some viruses but the virus itself keeps running at start-up. I guess this either has to do with the registry or with possible tracks the main virus can leave behind. Or both.

If I didn't manually search for and delete the executable, I wouldn't even be able to use Combofix.

After I purged the main virus and also the tracks with MalwareBytes, I restarted the system and the screen went all black after logging in, leaving only the pointer. This phenomenon is known as Black Screen of Death. I used some program called fixshell.exe and it solved the problem.

Really nasty malware.

[LoGiCaL__]

Any chance you documented in detail your findings/actions etc...? Would be curious to read them or maybe you'd be interested in posting an article. Anyways, I haven't come across it yet from where I'm from but I don't have any doubts that it's not far off. Good find.

[TheDarkestHour]

Right now I am installing XP in a virtual machine to start a deeper investigation about this malware.
I will post everything that I find, including prints, logs from combofix and malwarebytes and unpack the virus using ollydbg, if it is possible.


For now, the only information that I got is the registry:

Code: Select all

HKLM\Software\Microsoft\Active Setup\Installed Components\{evNTC15M-TWXn-den4-wwNM-OZRpymfjrgGI}\5Pl92n0RaPnn1Gf: “”%Appdata%\ServiceVBOX.exe” /ActiveX”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\5Pl92n0RaPnn1Gf: “%Appdata%\ServiceVBOX.exe”

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\5Pl92n0RaPnn1Gf: “%Appdata%\ServiceVBOX.exe”

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Appdata%\ServiceVBOX.exe”

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%Appdata%\ServiceVBOX.exe,%WinDir%\System32\userinit.exe,”

[TheDarkestHour]

After a month of investigation on this malware, I've decided to make a new thread reporting everything that I found. Screenshots and attachments of logs will also be available here.

Please note that the sample virus I got is from my country, hence everything will be in Portuguese.
All the investigation was done inside a virtual machine. No worries.


Introduction

Please refer to my earlier thread: viewtopic.php?f=29&t=8861


How do people get the virus?

Initially, the virus was spread through email from a supposed police agency belonging to your country, in which the attachment was the malware itself. This was the simplest way to get it.
At the start of my investigation, I couldn't get it because the host did not have the virus anymore, which leads me to believe in my hypothesis (from my earlier post) that they may be using a server to provide them the cash transfer when the victims decides to pay. Moreover, getting a sample of this malware was a complete pain.

Guess what? This is what appeared when I opened the email.



Some kind of korean adult website?...


After getting the virus

The following screenshot is an example of the virus after it installs in your PC.




How to get rid of the virus



Bah! The virus did not run in safe mode. This means I got a weaker version of the Police Virus...
It's surprisingly awful that casual people get the newest version and I, who have been searching for weeks for a damned sample, get an older version. Better than nothing, though.





It appears that the culprit is glom0_og.


Below is the log from ComboFix:

Code: Select all

ComboFix 12-07-12.02 - TheDarkestHour 07/12/2012  15:49:33.1.1 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.191.94 [GMT 1:00]
Running from: c:\documents and settings\TheDarkestHour\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\TheDarkestHour\Application Data\Media Finder\Extensions\IEPLugin32.dll
.
c:\windows\system32\drivers\usbehci.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-12 to 2012-07-12  )))))))))))))))))))))))))))))))
.
.
2012-07-12 11:41 . 2012-07-12 11:41   --------   d-----w-   c:\windows\Sun
2012-07-12 11:34 . 2012-07-12 11:34   --------   d-----w-   c:\program files\BabylonToolbar
2012-07-12 11:34 . 2012-07-12 11:35   1492   ----a-w-   C:\user.js
2012-07-12 11:34 . 2012-07-12 11:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\Babylon
2012-07-12 11:34 . 2012-07-12 11:34   --------   d-----w-   c:\documents and settings\TheDarkestHour\Application Data\Babylon
2012-07-12 11:33 . 2012-07-12 11:35   --------   d-----w-   c:\documents and settings\TheDarkestHour\Application Data\YourFileDownloader
2012-07-12 11:33 . 2012-07-12 11:33   --------   d-----w-   c:\program files\YourFileDownloader
2012-07-12 11:21 . 2012-07-12 11:23   --------   d-----w-   c:\documents and settings\TheDarkestHour\Application Data\Media Finder
2012-07-12 11:21 . 2012-07-12 11:23   --------   d-----w-   c:\program files\Media Finder
2012-07-06 22:35 . 2012-07-06 22:35   --------   d-----w-   c:\documents and settings\TheDarkestHour\Application Data\RBotPlus
2012-07-06 22:35 . 2012-07-06 22:35   --------   d-----w-   c:\program files\RBPlus
2012-07-06 22:21 . 2012-07-06 22:21   --------   d-----w-   C:\Casino
2012-07-05 23:25 . 2012-06-05 14:10   75096   ----a-w-   c:\windows\system32\VBoxDisp.dll
2012-07-05 23:25 . 2012-06-05 14:10   104280   ----a-w-   c:\windows\system32\drivers\VBoxVideo.sys
2012-07-05 23:25 . 2012-06-05 14:10   954712   ----a-w-   c:\windows\system32\VBoxTray.exe
2012-07-05 23:25 . 2012-06-05 14:10   745816   ----a-w-   c:\windows\system32\VBoxControl.exe
2012-07-05 23:25 . 2012-06-05 14:10   108376   ----a-w-   c:\windows\system32\drivers\VBoxGuest.sys
2012-07-05 23:25 . 2012-07-05 23:25   --------   dc----w-   c:\windows\system32\DRVSTORE
2012-07-05 23:25 . 2012-07-05 23:25   --------   d-----w-   c:\program files\Oracle
2012-06-14 10:49 . 2001-08-17 21:36   8704   -c--a-w-   c:\windows\system32\dllcache\kbdjpn.dll
2012-06-14 10:49 . 2001-08-17 21:36   8704   ----a-w-   c:\windows\system32\kbdjpn.dll
2012-06-14 10:49 . 2001-08-17 21:36   8192   -c--a-w-   c:\windows\system32\dllcache\kbdkor.dll
2012-06-14 10:49 . 2001-08-17 21:36   8192   ----a-w-   c:\windows\system32\kbdkor.dll
2012-06-14 10:49 . 2001-08-17 13:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
2012-06-14 10:49 . 2001-08-17 13:55   6144   ----a-w-   c:\windows\system32\kbd101c.dll
2012-06-14 10:49 . 2001-08-17 13:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
2012-06-14 10:49 . 2001-08-17 13:55   5632   ----a-w-   c:\windows\system32\kbd103.dll
2012-06-14 10:49 . 2001-08-17 13:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
2012-06-14 10:49 . 2001-08-17 13:55   6144   ----a-w-   c:\windows\system32\kbd101b.dll
2012-06-14 10:49 . 2008-04-14 04:39   6144   -c--a-w-   c:\windows\system32\dllcache\kbd106.dll
2012-06-14 10:49 . 2008-04-14 04:39   6144   ----a-w-   c:\windows\system32\kbd106.dll
2012-06-14 10:08 . 2012-06-14 10:09   --------   d-----w-   c:\documents and settings\TheDarkestHour\Local Settings\Application Data\BearShare
2012-06-14 10:07 . 2012-06-14 10:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\BearShare
2012-06-14 10:07 . 2012-06-14 10:07   --------   d-----w-   c:\program files\BearShare Applications
2012-06-14 10:07 . 2012-06-14 10:08   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{CA469C75-B6C8-4E68-A33B-1230FFA6CFDB}
2012-06-14 10:07 . 2012-06-14 10:07   --------   d-----w-   c:\documents and settings\TheDarkestHour\Local Settings\Application Data\PackageAware
2012-06-14 08:38 . 2012-06-14 08:46   --------   d-----w-   c:\documents and settings\TheDarkestHour\.frostwire5
2012-06-14 08:37 . 2012-06-14 08:37   --------   d-----w-   c:\program files\FrostWire 5
2012-06-14 08:37 . 2012-06-14 08:37   --------   d-----w-   c:\program files\Common Files\Java
2012-06-14 08:35 . 2012-06-14 08:32   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-06-14 08:35 . 2012-06-14 08:32   476960   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-06-14 08:35 . 2012-06-14 08:32   472864   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-14 08:31 . 2012-06-14 08:31   --------   d-----w-   c:\program files\Java
2012-06-14 08:11 . 2005-02-25 03:35   22752   ----a-w-   c:\windows\system32\spupdsvc.exe
2012-06-14 08:08 . 2012-06-14 08:24   --------   d--h--w-   c:\windows\$hf_mig$
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 11:33 . 2012-06-09 17:16   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-12 11:33 . 2012-06-09 17:16   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-05 14:10 . 2012-06-05 14:10   745816   ----a-w-   c:\windows\system32\VBoxOGLfeedbackspu.dll
2012-06-05 14:10 . 2012-06-05 14:10   483672   ----a-w-   c:\windows\system32\VBoxOGLarrayspu.dll
2012-06-05 14:10 . 2012-06-05 14:10   151896   ----a-w-   c:\windows\system32\VBoxOGLerrorspu.dll
2012-06-05 14:10 . 2012-06-05 14:10   1380696   ----a-w-   c:\windows\system32\VBoxOGLpackspu.dll
2012-06-05 14:10 . 2012-06-05 14:10   115032   ----a-w-   c:\windows\system32\VBoxOGLpassthroughspu.dll
2012-06-05 14:10 . 2012-06-05 14:10   1069400   ----a-w-   c:\windows\system32\VBoxService.exe
2012-06-05 14:10 . 2012-06-05 14:10   1007960   ----a-w-   c:\windows\system32\VBoxOGL.dll
2012-06-05 14:10 . 2012-06-05 14:10   754008   ----a-w-   c:\windows\system32\VBoxMRXNP.dll
2012-06-05 14:10 . 2012-06-05 14:10   85848   ----a-w-   c:\windows\system32\drivers\VBoxMouse.sys
2012-06-05 14:10 . 2012-06-05 14:10   250200   ----a-w-   c:\windows\system32\VBoxOGLcrutil.dll
2012-06-05 14:10 . 2012-06-05 14:10   225112   ----a-w-   c:\windows\system32\drivers\VBoxSF.sys
2012-06-05 14:09 . 2012-06-05 14:09   67416   ----a-w-   c:\windows\system32\VBoxHook.dll
2012-06-02 14:19 . 2009-08-06 18:24   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2012-06-09 16:25   329240   ----a-w-   c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2012-06-09 16:25   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2012-06-09 16:25   210968   ----a-w-   c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-08-06 18:24   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2012-06-09 16:25   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2012-06-09 16:25   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 14:19 . 2009-08-06 18:24   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-08-06 18:24   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2008-04-14 04:41   97304   ----a-w-   c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-08-06 18:24   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2012-06-09 16:25   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2012-06-09 16:25   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Media Finder"="c:\program files\Media Finder\Media Finder.exe" [2012-06-28 8613888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2012-06-05 954712]
.
c:\documents and settings\TheDarkestHour\Start Menu\Programs\Startup\
ctfmon.lnk - c:\windows\system32\rundll32.exe [2008-4-14 33280]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\YourFileDownloader\\Downloader.exe"=
"c:\\Program Files\\YourFileDownloader\\YourFile.exe"=
.
R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [7/6/2012 12:25 AM 108376]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [6/5/2012 3:10 PM 225112]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [6/5/2012 3:10 PM 85848]
S2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/9/2012 6:16 PM 250056]
S3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [7/6/2012 12:25 AM 104280]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-09 11:34]
.
2012-07-12 c:\windows\Tasks\Your File Updater.job
- c:\program files\YourFileDownloader\YourFileUpdater.exe [2012-07-12 11:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=112555&babsrc=HP_ss&mntrId=b82a7e6d000000000000080027851d2c
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-12 15:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-07-12  15:57:40
ComboFix-quarantined-files.txt  2012-07-12 14:57
.
Pre-Run: 7,390,814,208 bytes free
Post-Run: 7,501,234,176 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2FBC541BD82513F72BFADEF366EF63E7


After ComboFix



This error always occurs because the virus is supposed to be run at startup. Since ComboFix purged it, the virus is still marked in msconfig to be run at startup.




MalwareBytes detected a few threats because, usually, the Police Virus leaves a few leftovers. However, in this case, it's more appropriate to say that these threats were because of my futile attempt in browsing all porn sites available in order to get the right virus.




I wanted to get the most recent Police Virus, but I've grown weary of browsing so many porn websites.

[LoGiCaL__]

AH, I remember this. Just as a heads up though, usually running combofix and malware bytes alone isn't enough. I have a command line scanner that has many viruses db's but the only good one is sophos. You have to update it and it's not a real-time scanner, but it always finds some residual malware lying around. Nice job though with putting this together.

I'm going to combine this with the other thread for forum organization purposes.