Beware of 'child porn' Computer virus

[Hum]

German federal police are warning about a computer virus that accuses victims of viewing "juvenile pornography".

It also displays an image that it claims reveals images of child sexual abuse have been viewed on a computer.

The Windows virus locks a computer and only returns control to its owner on payment of a 100 euro (?86) fine.

It purports to be collecting cash on behalf of German copyright authorities and the country's national computer security agency.

The virus amounted to "digital extortion" and victims should not pay up, said German police.

The warning about the novel strain of ransomware was issued by Germany's Federal Criminal police office (the Bundeskriminalamt or BKA).

The ransomware version found by the BKA uses a pop-up window that says the machine has been locked down due to "unauthorised network activity". The window is crafted to look like it has been put together by Germany's Federal Office for Information Security (BKI) and its society for prosecution of copyright infringement (GVU).

Text in the window claims that images of child sexual abuse as well as pirated content have been found on the machine. Also displayed is an picture of a child which it claims reveals illegal images have been viewed.

Rik Ferguson, director of security research at Trend Micro, said it was the first time he had heard of ransomware displaying images that users were accused of harbouring.

more

[+Gary7 Subscriber²]

I do not go to such sites so I am not worried.

[carmatic]

maybe somewhere in the source code there is an ASCII pedo bear ....

[Original Poster]

I removed a simular virus for a neighbor last year.... all you do is safe mode + roll back... fixed

[Hum]

For less than that silly ransom, I could install a new hard drive. :laugh:

[compl3x]

For less than that silly ransom, I could install a new hard drive. :laugh:

I guess you have to appreciate this would terrify non-tech savvy users.

[The Evil Overlord]

Spybot's good at getting rid of these things too

(Hasn't let me down yet, but then I have back up removers too)

[Growled Member]

Yeah, a friend of mine got something similar last week. Took only a few minutes to clean but he was terrified. Thought his computer was full of viruses and he was going to have to pay to fix it.

[G_0]

This is not anything new. It's actually extremely easy to clean out also. The problem with this attack and other variants is that there is a very high likelyhood that saved credentials are being stolen (log on and credit info from websites). If anyone needs help cleaning you can send me a PM but really there are tons of tools that will do it for you, what you should be concerned about is your information.

[I am Reid]

yea ive also had to fix quite a few computers over the last few months with this one. It does a pretty good job at completely locking out the victim though, so I could see why it scares people, pretty much nothing works short of rebooting into safemode, from there its easy, but it for sure gives people a good scare.

[*RedBull*]

I will beware of child porn from here on out!! Thanks for the warning. That was close. Too close... :s

[Hum]

Yeah, a friend of mine got something similar last week. Took only a few minutes to clean but he was terrified. Thought his computer was full of viruses and he was going to have to pay to fix it.

So how did you fix it ?

I will beware of child porn from here on out!! Thanks for the warning. That was close. Too close... :s

I don't think people were visiting poRn sites at all -- but other questionable warez/pirate sites.

Here's an interesting article on ransomware:

http://blogs.technet.com/b/markrussinovich/archive/2013/01/07/3543763.aspx

[Growled Member]

So how did you fix it ?

I started Windows in safe mode and ran rkill. I then ran spybot to make sure I got it.

[Hum]

^ Is rkill part of Windows 7 Defender ... ?

I've always started the Task Manager as fast as possible, saw and stopped the bad process, then Deleted the .exe proggy.

Symantec provides a free tool, Norton Power Eraser, that seeks out and destroys ransomware and other forms of "scareware," like fake antivirus software.

[Growled Member]

^ Is rkill part of Windows 7 Defender ... ?

No. You can find it here:

http://www.bleepingcomputer.com/download/rkill/

[Hum]

I just ran the Norton Power Eraser -- nothing bad found. ;)

[BeerFan]

maybe somewhere in the source code there is an ASCII pedo bear ....

[+BudMan MVC]

I do not go to such sites so I am not worried.

I don't think people were visiting poRn sites at all -- but other questionable warez/pirate sites.

This is just typical everyday virus stuff - nothing really new other than maybe the kiddie p0rn aspect of it, which is not really funny at all.

But these statements caught my eye - have you read cisco's report?

------

http://www.cisco.com/en/US/prod/vpndevc/2013-annual-security-report.pdf

The general belief is that sites that promote criminal activity?such as sites selling illegal pharmaceuticals or counterfeit luxury goods?are most likely to host malware. Our data reveals the truth of this outdated notion, as Web malware encounters are typically not the by-product of ?bad? sites in today?s threat landscape.

As Cisco data shows, the notion that malware infections most commonly result from ?risky? sites such as counterfeit software is a misconception. Cisco?s analysis indicates that the vast majority of web malware encounters actually occur via legitimate browsing of mainstream websites. In other words, the majority of encounters happen in the places that online users visit the most?and think are safe.

Holding the second spot on the list are online advertisements, comprising 16 percent of total web malware encounters. Syndicated advertising is a common means of monetizing websites, so a single malicious ad distributed in this manner can have a dramatic, adverse impact.

--------

[+Warwagon MVC]

This is just typical everyday virus stuff - nothing really new other than maybe the kiddie p0rn aspect of it, which is not really funny at all.

But these statements caught my eye - have you read cisco's report?

------

http://www.cisco.com...rity-report.pdf

The general belief is that sites that promote criminal activity?such as sites selling illegal pharmaceuticals or counterfeit luxury goods?are most likely to host malware. Our data reveals the truth of this outdated notion, as Web malware encounters are typically not the by-product of ?bad? sites in today?s threat landscape.

As Cisco data shows, the notion that malware infections most commonly result from ?risky? sites such as counterfeit software is a misconception. Cisco?s analysis indicates that the vast majority of web malware encounters actually occur via legitimate browsing of mainstream websites. In other words, the majority of encounters happen in the places that online users visit the most?and think are safe.

Holding the second spot on the list are online advertisements, comprising 16 percent of total web malware encounters. Syndicated advertising is a common means of monetizing websites, so a single malicious ad distributed in this manner can have a dramatic, adverse impact.

--------

Exactly!

I went down to my competitors office to see if he had some really old sdram for an old laptop. While I was there I asked him "Have you been seeing very many infections caused my java?"

I asked him this because I always got the feeling from talking to him that he doesn't know java is a major infection vector. In fact I had someone call me to do a house call at their house right after he cleaned their PC up from an infection. What I found was that he left an out of date version of java (or java in general) on the machine. Malwarebytes also wasn't on the machine, even though the invoice said "Scanned with malwarebytes". Im pretty sure he uninstalled it so the customers couldn't do their own scan.

His answer to my question was this..

"Every now and then when I do a scan I see java files, (I think he meant java exploit files) just means they were browsing porn".

*facepalm*

[+BudMan MVC]

Well I am not as paranoid as you when it comes to java ;) Yes it can be an exploitable point on a users machine while they browse the infection highway that is the public internet.. But their are also other exploits out there that are not java..

Your java threads come across that if your not running java your never going to get infected to me.. To be honest, I think a vast majority of infections are users just being stupid as users tend to be. Be it you have java installed or not.

Got an email from a friend while back -

So in this day and age who in their right mind would follow such a link?? Did you just start using email yesterday? Have you not heard any virus related news in the last decade? I have blocked out the info -- because I don't want anyone following such a link out of pure curiosity, etc. Keep in mind the domain in question not even taking into account the rest of the url is not say youtube or other major players site where might be sending link to funny video or article of interest, etc. Then look at the rest of the url -- does that look like a normal link to you?? Really?

Is there any text to go along with said link - hey guys thought you all might find this funny or interesting, etc. Its clearly junk, even if she had sent me that on purpose I would not follow it because there is no explanation of why I should in her style of writing, etc.

So I contacted her right away, and stated either someone is sending junk using your email address, or your account has been compromised and is sending it. She said yeah quite a few of her friends had followed the link - and THEN contacted her on why she sent -- WTF??? Really Come on People!

If you have users that would click on said link, then you have 1000 more users out there that click on the flashy AD on some site that says "Click Me" you have won, or get something FREE or whatever other tricks they use to try and get your click.

I personally would never in a million years follow a AD of any sort.. Just not going to do it -- if in the off chance some Ad peaked my interested on a site.. I would look up that said something on my own and follow though with getting info I needed from my curiosity being peaked.

Do drive-by's happen - sure, is java used to exploit your machine again sure. But also just plain stupidity is to blame that has nothing to do with an exploit to the malware installed - user installed of their own free will is quite often the case. Antivirus/Security suites have a hard time with such software.. Because the user agreed to install it, etc. And yes it might of been in small print, but clearly stated that installing such software allows to access your contact list and send emails to your contacts 3000 times a day, etc. Or to popup **** on your screen that is stuff "we" think you might want, etc. Or we are going to reroute your internet traffic through our proxy/search engine so we can determine what you like and "better" serve you, etc. ;)

Now this ransomware seems very familiar to others out there just taking a different scare tactic approach to relieve idiots from their money -- hey your infected!! Click here to fix it, pay just $39.95 etc. Oh btw we hid all the items off the start bar because they were "infected" ;) We will put them back once they have been cleaned... After you pay the $39.95 -- Sorry that CC did not work, try another, Sorry that one not working either, try another, try another.. I have seen people feed in every CC they own into such nonsense.. Its like when they sit in front of computer they turn off their brain ;)

tl:dr -- ranting about users and infections and lack of common sense.

[Hum]

Malwarebytes also wasn't on the machine, even though the invoice said "Scanned with malwarebytes".

I'm pretty sure he uninstalled it so the customers couldn't do their own scan.

*facepalm*

Glad I can fix my own computers. :s

[+BudMan MVC]

Agreed, yeah I saw that point - which I completely agree with.. Even people in IT can be clueless.. I just got side tracked with my rant and then when it finally clicked that this is getting so long that nobody is going to read it I forgot to agree with your "facepalm" ;)