Beware of new Windows activation Trojan

09/06/2011
G DATA Blog

Bad time to change your mind, in case you are using a non-licensed / trial copy of Microsoft Windows. What the scamsters promise you here, is not what you think you'll get - Don't fall for their trick! This new ransomware in Windows style reminds us of the German Federal Police blackmailing Trojan that came up earlier this year.

In case of an infection, the pc is locked and inoperable. The malware displays a screen with a fake Microsoft Windows activation request:

 

G Data products identify this particular ransomware as Trojan.Generic.KDV.340157 (Engine A) and Win32:Trojan-gen (Engine B).

How one can identify this kind of threat as rip-off:
First of all, one should not be fooled by the official Windows logo or any other kind of alleged expression of authenticity! Do not pay the money asked for and do not enter any kind of personal information or any original Windows license information on the website.

The screen message pretends to have checked the genuineness of the installed Windows version. But the warning message displayed does not look like the original Windows activation notification screen at all.
One can check the genuineness of the installed Windows version on the official Microsoft “Genuine Windows” website and can also find all necessary information on how to activate a Windows copy there.

The victim is urged to pay €100 with a Ukash coupon code or Paysafecard – both are pre-paid currencies available in many public shops (post offices, gas stations, etc.).
Microsoft would never ask a customer to pay a fee or fine using Ukash coupon codes or Paysafecard payment!

The victim is asked to enter the pre-paid card’s identification number and a personal identification number, along with an email address or cell phone number, on a website. This website is said to be “Microsoft’s activation page”, which obviously is a fake! Even the buttons that are supposed to be hyperlinks are no real hyperlinks, but pictures only!

Microsoft would not launch any kind of official service on a website outside the official Microsoft domains!
Microsoft would take much better care for typos within the URL.
One can acquire individually licensed genuine Windows 7 retail licenses “through one of three channels: retail, original equipment manufacturer (OEM), or Volume Licensing (VL)”, Microsoft explains. One will not receive licenses by email or SMS, as the fake screen above tries to imply.

The screen message wants to add emphasize to the call by explaining that all data stored on the computer and the Windows copy will be irrevocably deleted in case the user ignores this warning and does not activate the Windows version within 48 hours.
Our analyses have not shown any deletion of files after 48 or more hours, so far.

The mentioned law (§126 para. 3 German Copyright Law) is used to imply the user would act unlawfully in case he/she does not perform the activation. This argument has no basis, as this particular section and paragraph touch a totally different topic.
The method of presenting legal facts and allegedly possible consequences is not a trustworthy one! Legal entities would not announce an accusation on a website – especially not with linguistic inadequacies and without hard facts.

 

System modifications detected:

  • copies itself to the Startup folder of the current user
  • copies itself to the Startup folder of "All Users"
  • copies itself to %APPDATA%\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\msvcs.exe
    [please note: The X symbols stand for an individual machine code]
  • The "Safe-Mode" isn't accessible.

 

Removal instructions:

  1. Boot from G Data Boot CD
  2. Scan computer and remove all "msvcs.exe" files.
  3. Reboot
  4. (optional) Manual cleaning of registry

The orphaned registry entries are harmless if the malicious msvcs.exe files were removed properly. If you do not feel comfortable to work in the registry or have never done it before, you may leave the files untouched. Please note: The X symbols in the following registry entries stand for an individual machine code.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    - entry %APPDATA%\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\msvcs.exe
    - entry can be deleted optionally
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    - entry %APPDATA%\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\msvcs.exe
    - entry can be deleted optionally
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    - additional entry %APPDATA%\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\msvcs.exe
    - beware: the "userinit" entry cannot be deleted!
    - everything after "C:\WINDOWS\system32\userinit.exe," can optionally be deleted.
  • HKEY_CURRENT_USER\Software\Classes\CLSID\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    - A CLSID folder with the default key pointing to the initial dropper (probably a path in %TEMP%).
    - whole folder can optionally be deleted. But beware: do not delete the wrong folder. This can be difficult, as the path of the initial dropper is unknown.

 

Further tips:

  • Use a comprehensive AV product with current virus signatures, http-filter etc. to protect your pc and all digital data.
  • Always maintain the operating system and browser updated to the latest version and regularly install updates.
  • Do not click hyperlinks thoughtlessly. Many domains used for this kind of scam try to lure users with a combination of key words related to the software and AV business.
  • Analyze the style of language and the orthography of the pop-ups and warnings displayed. Too many mistakes or odd phrasing hint at scam.
  • Remember: Genuine system messages will be displayed in your system’s language.
  • Never disclose any personal information and/or bank data - either via email or on dubious websites.
  • Never transfer money to an unknown person.