A new ransomware trojan variant with children pornography

We wrote about the ransomware trojan (aka BKA Trojan) and its new methods of blackmailing people to pay: claim in the name of an official institution that the user did something illegal, like storing children pornography pictures on his computer.

The new variant of the BKA trojan attempts to blackmail the owners of infected computers with four pornographic pictures of children (last version had only one picture). It pretends to come from the press office of the BKA.

Revoyem_DE_2013-05                            Revoyem_DE_2013-04

But, if the last version only was mentioning that the user is in possession of pornographic materials with children, the difference this time is that the trojan actually copies pictures on user’s computer. To be even more credible, the trojan has names and birth dates of the children in the pictures (to prove that they are minors).

Same as the other variants known, the malware locks the user’s computer and asks 100€ (135 USD) to be paid via UKash or paysafe. Failing to do this has the consequence that all data on the computer will be destroyed and the user (identified with IP address and user agent string of the browser) will be condemned and punished. The cybercriminals are constantly trying new texts in order to look as convincing as possible.

The malware is distributed via drive by downloads as an executable file with temporary names.

Various media reported that this new version has also a better support for the webcam, so if the computer’s webcam is supported, the user can see himself in the small picture in the screen. Unfortunately, our VLAB could not test this scenario at this time. This social engineering technique creates an acute sense of emergency because it transfers the message that the BKA is “watching” the user.

 

Starting with the engine version 8.2.10.246 all Avira products detect the malicious files of the trojan with a generic detection as TR/Crypt.ULPM.Gen. Also the pictures that are dropped on user’s computer will be deleted. Please note that the full repair functionality is only available in the Windows products and not in the Rescue System and the command line scanner.

We strongly advise the user to never pay the ransom. Use the Rescue CD to clean up the malware from your computer or ask an expert to help you.

Sorin Mustaca

IT Security Expert