Federal Police Scam

During our usual malware analysis we found a malware sample which shows a fake warning passing off as official German “Bundeskriminalamt” (the German Federal Police). The page contains various logos taken from the official Internet sites.

It’s easy to discover that this page is obviously not from the official federal police, as the site contains a free mail address from yahoo.com and abounds in numerous grammatical mistakes and typos. The authors of the malware are trying to hassle the victims to pay 100 € via an anonymous pay service called “UKash” to unlock the infected PC. Should the victim fail to pay within 24 hours, the cyber criminals are threatening to delete the whole content of the hard disc.

Right after execution of the malware, the file creates two files inside the temporary directory and executes the files after they are created. The dropped malware files are detected by Avira AntiVir as TR/Dldr.PinchLord.C and TR/Dldr.Harnig.S.210.

After the files have been placed in the system and got executed, they are trying to download further malware components from bal***on.com.

Avira users are protected from the threat with VDF version 7.11.05.134. The main malware is detected as TR/PSW.Papras.A.2.

Heng Chia Ho
Virus Researcher