Month: March 2011

A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves. 

A Network World article has alleged Samsung laptops of having a keylogger.  Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger. 

The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic.  I want to emphasize “rarely”, as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process.  (It’s not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result — a false positive.)

The directory in question was C:WINDOWSSL, and is the Slovenian language directory for Windows Live.  This same directory path is used by the StarLogger keylogger.

How does this happen?   A researcher has a number of tools at his or her disposal to detect a piece of malware.  These include a broad range of detection types based on the malware in question. Sometimes, a simple signature is fine; other times, a more carefully crafted detection is needed.  In VIPRE, among some of the detection types are heuristic (meaning, using a method of pattern analysis on the file); behaviorial  (looking at the behaviour of a file in VIPRE’s emulator to see if it does anything malicious) or signature-based (simply creating a file signature for the file).  Part of the heuristic toolkit used might be any number of types of analyses, and these can include looking at the contents of the file for specific patterns that indicate malware.  A researcher can also (but rarely) use a folder path as part of a more comprehensive detection set.  Imagine you’re a researcher:  You see the folder name “C:windowssl”.  This is, indeed, something one would never find on a Windows system at the time the detection was written, so the researcher added this folder path to his heuristics for this keylogger.  It was peer-reviewed and tested against a broad range of Windows platforms, including every foreign language set.  Everything is fine and dandy… except that at some point several years after the original detection was written, Windows Live started using that directory to install Slovenian language files for Windows Live.  Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we’re having today.

We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.

False positives do happen, it’s inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive.  This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes. 

The false detection is fixed in definition set 8878.

Alex Eckelberry
General Manager, GFI Security

Well, this is pretty interesting:

GNU Free Call is a new project to develop and deploy secure self-organized communication services worldwide for private use and for public administration. We use the open standard SIP protocol and GNU SIP Witch to create secured peer-to-peer mesh calling networks, and we welcome all participation in our effort.

Our goal is to make GNU Free Call ubiquitous in a manner and level of usability similar to Skype, that is, usable on all platforms, and directly by the general public for all manner of secure communication between known and anonymous parties, but without requiring a central service provider to register with, without using insecure source secret binary protocols that may have back-doors, and without having network control points of any kind that can be exploited or abused by external parties. By doing so as a self organizing meshed calling network, we further eliminate potential service control points such as through explicit routing peers even if networks are isolated in civil emergencies.

More (quite a bit more, actually!) on the official announcement page.

Christopher Boyd (Thanks Alex)

It looks like we have yet another facebook profile tracker doing the rounds, this time called “Profile Watch” (how original).

Visiting any of the links currently being spammed results in websites such as the one below promising to tell you who keeps checking out your profile:

Click to Enlarge

As usual, it’s all total nonsense – they just want you to fill in surveys and generate some affiliate cash. If you want, you can install the related App and go spamming walls:

Click to Enlarge

Of course, it’s probably better if you don’t do that.

Some of the stats make for depressing viewing:

Click to Enlarge

164,431 clicks with the bulk coming from the UK and the US. Check out the day by day clicks, where this particular site is pulling in close to fifty thousand clicks per day from the 27th to the 29th of March. I wonder how many of those went ahead and filled in a survey?

I know there’s certainly a lot of people spamming walls with the promotional text (do a search for “WH0 CHECKS YOUR PR0FILE” on one of the many Facebook search engines and watch how many result come flying back at you). There’s a number of URLs involved, including 5d(dot)thehabsurs(dot)info, fbprofilespynow(dot)info and jilba1(dot)info.

Don’t bother going anywhere near this one.

Christopher Boyd (Thanks to Wendy and Matthew).

Thanks to the person who sent this over but wishes to remain anonymous – appreciated!

Below, we have a rather interesting twist on the 419 scam mail (and of course, it’s related to the Japanese Earthquake / Tsunami). They don’t ask you to jump onto a phish page and sign your life away – instead, they ask you to send your information to the actual Red Cross but also ask you to CC whatever you send to their alternate scam email address.

Seeing as how the Red Cross will probably take a while to get back to you while in the middle of dealing with the Japanese disaster relief, by the time they’re asking you why you sent them endless emails involving Western Union money transfers the 419 scammer has probably cleaned out your bank account.

Here comes the mail, with important bits highlighted in bold:

From: British Red Cross(Donation Board) [mailto:relieffortsATredcross.org.uk]
Subject: Donate to Japan Tsunami Relief Efforts

British Red Cross
Email: relieffortsATredcross.org.uk
Alternate: uk.redcrossATblumail.org

Pretty clever. As always, don’t reply to blind mailshots asking for your information even when it appears to be totally legitimate.

Christopher Boyd

Below we have a rather fetching page located at helpjapan(dot)co(dot)tv:

Click to Enlarge

“Japan Earthquake Relief: Help raise money for disaster relief in Japan with a few clicks of your mouse”.

That’s great, except hitting the Connect with Facebook button reveals an app called “your age pic” located at apps(dot)facebook(dot)com/youwilllooklike – at least, it would if it wasn’t currently offline due to an “issue with its third party developer”.

Click to Enlarge

Check out the reviews, which mention friend spamming. Here’s someone having problems with rapid fire messages being sent out.

The message posted to Facebook pages looks like this:

Click to Enlarge

“YOUR 1 click = $0.5 for Japan Relief Fund !!  Guys ! Japan needs ur help real bad !! People are suffering,lost their homes,friends,family and more  Please Support the earthquake victims @ helpjapan(dot)co(dot)tv/”

There’s quite a few off those knocking around in public Facebook searches right now. Given that the whois info for the website looks fake (“the almsn ddsfg Afghanistan”?) and it is hosted alongside what look like Call of Duty Facebook scam sites I doubt we’ll be seeing this app reactivated.

Below, you can see a continuation of the popular “girl commits suicide on cam” scam, sitting on a Facebook app page located at apps(dot)facebook(dot)com/hollevideo.

 Click to Enlarge

Click to Enlarge

The app for this one is currently offline, but alongside the surveys and profile editor pages you could also allow the app to “access your basic info, post to your wall and access your data anytime”.

You know, if you really wanted to…

Christopher Boyd (Thanks to Wendy for the webcam app link)

I guess people are reporting many Japan disaster donation websites to Paypal, because we’re seeing a lot of sites with their payment screens disabled, blocked or just plain fired into the heart of the Sun. Here’s a fresh one on Myspace (you remember Myspace, right?) with Red Cross imagery and the ever-present donate button:

Click to Enlarge

Try to reach the payment screen, and you’ll see this:

Click to Enlarge

Here’s another one that was lurking under a .tk “Red Cross” URL, promoted heavily on video sharing websites:

Click to Enlarge

The payment screen for that one was a Romanian Paypal account screen tied to a ymail (Yahoo) Email address. At time of writing, that has also been disabled. Note that people are apparently leaving real Facebook comments, and it has 80+ likes. I wonder how many gave money?

The one below – located at helpdonatejapan(dot)com – was taken offline sometime last night from the looks of it. Once again, it’s a “nonprofit organization” with no credentials on display and a lot of “donate now” buttons everywhere. They claim they’ll send people who donate a “Make a change” bracelet – nice of them.

Click to Enlarge

Payment screen:

Click to Enlarge

We’re also seeing cut and paste profiles popping up on sites such as Netlog. Here’s a couple:

Click to Enlarge

All of these profiles are clearly made by the same person, yet they all sport different information (one is female, two are male, they’re all different ages yet all three were supposedly born on the 19th of March).

There are no donation buttons yet but it does seem rather peculiar, doesn’t it?

As always, if you want to make a donation you should go here.

Christopher Boyd (thanks to Steven for sending over the helpdonatejapan website!)

Looks like they’re starting early with these scams, seeing as Easter isn’t until April 24th.

Patrick Jordan came across some dubious links while digging around for printable Easter Cards on .pl domains. These redirect links are lurking at the top of search results, and there seem to be quite a few URLs involved.

Click to Enlarge

Click to Enlarge

In the above examples, end-users would hit one of the “it’s a trap” landing pages, then be redirected to sites pushing the System Defender rogue.

Click to Enlarge

Cue Patrick:

“1. Site/url changes almost every 24 to 48 hours.
2. Can make only one run as it then rotates to ad site for 24 hours unless you change your IP.
3. Also, for the last two site/urls they are in the #1 position in the Google results”

If you accidentally hit one of these scam sites, don’t panic and DON’T open up any executable files presented in the middle of an entirely fake system scan. Just close the prompt, leave the site (shut down your browser with CTRL+ALT+DEL if you have to) and walk away – whistling optional.

Christopher Boyd (Thanks Patrick)

Here’s a freshly minted scam mail doing the rounds – this time, claiming to be a victim trying to escape Japan and needing a cool $1,600 to do it.

From: jamainelecottATyahoo.com
Subject: Please Help Life, From Jamaine Lecott

ADDRESS.NO A14 Tokyo. northeastern coast japan
My Honest Regard,
Jamaine Lecott

Needless to say, you should not get involved in this.

Christopher Boyd

There’s falling on your sword, and there’s using Skype to call security researcher Adam Thomas then trying to sell him some fake AV.

This is an example of the latter.

The site involved was sosdl(dot)com (currently offline) and here’s a screenshot:

Click to Enlarge

The payment account is still live:

Click to Enlarge

Not sure I’d pay $19.95 for “instant repair”, but I’m sure somebody will find it tempting.

Read more about the fun people are having with rogue AV phonecalls over on the Brian Krebs blog., and keep an eye out for random URLs being thrown around Skype with “sos” in them.

Christopher Boyd (Thanks Adam).

Thanks to thenext50k for sending this over.

From: “Paul Anderson”
Date: Thu, 17 Mar 2011 20:33:07 +0100
Subject: Urgent response as regards the Japan Earthquake, Tsunami
Private and Confidential

Firstly, I apologize for sending you this sensitive information via e-mail instead of a Certified mail/Post-mail. This is due to the urgency and importance of the information. This project is based on trust, confidentiality and sincerity of purpose in order to have an acceptable meeting of the minds. I am the account manager of Unity Bank Nigeria, West Africa with branches all over the world and almost in all parts of Asia. My name is Paul Anderson and I work both as an auditor and a consultant with the bank.

11 years ago, an expatriate, a Japanese from Tokyo Japan whom was also a client of the bank I work for successfully invested the sum of $26.2M USD with the bank I work for. On routine audit check I discovered that this investment account have remained dormant for some years. An investigation regarding the status of the account was carried out. However, during the course of the investigation, it was then revealed that the account holder (Expatriate and Investor) died in the Tsunami Earthquake disaster which took place on March 16, 2011 while on vacation. It was also discovered that the late client died intestate (died without a valid will) as he has no relation that knows about this deposit. Until his sudden demise, He was not married and was 44 years old.

NOW THE CRUX OF THIS E-LETTER is that banking regulation/legislation in Nigeria, demand that I notify the fiscal authorities after a statutory time period when dormant accounts of this type are called in by the monetary regulatory bodies. If no beneficiary to the investment account is presented as the late client’s next of kin within the next 14 official working days so that He or She can be paid the outstanding USD 26.2 Million dollars, the funds/payment will be diverted to the government coffers account as unclaimed bill and it may surprise you to know that funds of this nature are usually embezzled and diverted by corrupt government officials into their pockets to be used for their own selfish gains The above set of facts underscores my reason of writing and making this proposal.

Since we have been unsuccessful in locating any of his relatives, I decided to contact you for a deal so that we can work together as a team to remit the money to your account as my client next of kin since I do not want to sit and watch my client’s hard earned entitlement to go astray, it will be easy for us to achieve because you are of the same name like him. Although I know that a transaction of this magnitude might make anyone apprehensive but I would like to assure you that I am proposing this project to you with the best of intentions.
All I require from you is your honest co-operation to enable us seal this deal through. I guarantee that this transaction will be executed under a Legitimate banking arrangement that will protect you from any breach of law. Upon successful conclusion of this project, you will be compensated with 40% of the total fund, while 60% will be for me.

If you are interested to work with me in this deal of mutual benefit, kindly reply strictly to my personal Email: stating your full names, telephone, fax and mobile numbers for effective communication and oral clarification on how to proceed next, postal address, occupation and position held, scanned photocopy of your identification in the form of international passport or driver’s license or other to enable us prepare all necessary bank papers to effect the quick release of the funds into your nominated bank account.

Sincerely yours,

Paul Anderson.
 
I’m struggling to think if there’s any kind of scam left untouched where the Japan quake / Tsunami is concerned.

Christopher Boyd

As you may noticed from the odd blogposts here and there, scammers are firmly on the “exploit the Japanese disaster” bandwagon and anything is a target for them at this point. It’s becoming a little overwhelming to keep up with the posts I’m seeing across the security blogs as more scams come to light (I’ve made six posts myself today alone not including this one), so I thought it might be useful to throw together a short reference post with examples of the dubious techniques being used and how to avoid falling victim. If you think you have family members who may click on things or donate to sites they probably shouldn’t, consider gently pointing them in this direction.

1) Spambots.Keywords on Twitter, trending topics and anything else remotely newsworthy are instant green light signals for Bots to bug you endlessly with links to websites such as this:

Click to Enlarge

While some of it is relatively harmless (such as spamming junk links to eBooks, although it certainly wouldn’t be “harmless” to anybody directly affected by the quake receiving such a crass message) there’s plenty of bad things that come from twitter spam. Fake antivirus spam comes and goes on Twitter, but there are also fake Twitter notifications arriving in mailboxes too (scroll down).

Random links from random people in relation to any disaster should always be treated with caution.

2) Fake videos.
The poster boy of malicious websites everywhere, these are perfect bait for users wanting to get a quick fix. Invariably, they’ll pop a prompt or (worse) an installer the moment the user clicks on the “video” – the payload could be anything from random malware to fake antivirus. If it looks a bit like Youtube and you’re being asked to install things, run away. If it pops a survey, run away. The content was not (and never will be) there.

Click to Enlarge

Clickjacking / facebook type scams are also popular where fake videos are concerned. If the content of a Facebook post sounds a bit salacious or beyond the limit of what your workplace AUP would allow, that’s probably because it’s a fakeout designed to get you clicking. The whale scam is a popular one – there are many more out there.

Click to Enlarge

3) Emails and donation websites.

You can safely file unsolicited emails in the junk pile, every single time. It doesn’t matter who they claim to be, ignore it. Websites are a touch more problematic – while there are many legit grass roots efforts popping up on genuine facebook pages, the growing collection of what I like to call “completely random websites” are muddying the waters in spectacular fashion. Remember: anybody can set up a .com, .org, .net – even a .jp. It doesn’t mean the website sporting a Red Cross is any more genuine. There are many 419 mails zinging around related to the disaster, too – examples here and here.

There are a number of genuine donation effort sites listed here, and failing that you can always just go to the Google Crisis Response Page and donate safely. The good news is that many of the more dubious donation sites are having their payment methods switched off.

4) Blackhat SEO poisoning.


Click to Enlarge

Dubious links pointing to fake AV will continue to be an issue for anyone looking at disaster related information, as we can see here, there and everywhere. Of course, there are steps you can take to avoid an unwelcome guest on your desktop. If you get redirected to a fake AV website, more often than not you’re perfectly fine unless you agree to download the installer, double click it, allow it to run and so on. Denying the download will work wonders. If there’s no download but they’ve locked up your browser, CTRL+ALT+DEL or (failing that) ALT+F4 will also be your best friend in these situations.

Additionally, don’t go clicking on random websites with names like “Celebrities with diseases” (see the above screenshot) because you’re pretty much asking for trouble. Stick to legit news websites in the various news portals of search engines such as news.google.com.

Oh, and install AdBlock Plus and / or NoScript too, assuming you use a browser that’s compatible. AdBlock Plus will strip all the adverts from a website, meaning your chances of being hit by a rogue ad banner served on a reputable website are somewhere between zero and zero. NoScript does exactly what it says on the tin, and allows you to control / remove script from websites in a very flexible fashion.

Unfortunately, this is going to keep rolling – in the last hour or so, Dave Marcus of McAfee fame mentioned Fukushima satellite imagery malware doing the rounds. Be careful!

Christopher Boyd

The scammers are in full swing now, aren’t they?

Click to Enlarge

Thanks to Mister U, thenext50k and others for sending over various pieces of spam mail that Twitter users are reporting seeing arrive in their mailboxes.

The example mail above claims to be from “ICRC Basedhelping Foundation” and are unsurprisingly asking for Japan relief donations. They’ve provided bank details so you can send them money from both inside and outside Europe (nice of them), and these unsolicited mails should be dumped into your spam folder as quickly as your fingers will allow.

Christopher Boyd

According to Wikipedia and a bunch of other unverifiable sources I can’t remember the name of, the amount of radiation contamination when Chernobyl exploded was approximately 400 times that of the radiation contamination at Hiroshima.

As you’d imagine, the range and power of any potential meltdown is a bit of a hot topic and search engine poisoners are going to have a field day with users searching for information related to that one.

I asked a random person in my hotel (no really) to go looking for information related to radiation levels after telling them lots of things about contamination level comparisons. Sure enough, they came back with “Chernobyl radiation 400 times Hiroshima” and on the very first page in Google, there’s a website called celebrities-with-diseases(dot)com. The title is pure clickbait: “Americans shouldn’t fear radiation sickness from Fukushima”.

Click to Enlarge

Hitting that link does something you’ve seen a million times or more by now:

Click to Enlarge

Click to Enlarge

Fake warnings, fake scans, a file offered up for download.

As always, remain vigilant and ensure you’re getting your information from trusted sources – you can guarantee “Celebrities with Diseases” won’t be showing up in Google News anytime soon.

Serving up a healthy dose of proof positive that you should, perhaps, obtain your news from somewhere other than random uploads on a video sharing website is a number of uploads that look like this:

Click to Enlarge

These are videos claiming to show various “miracle escapes” from the destruction wrought by the Earthquake and Tsunami. While this is a nice human interest angle (and actual news sites are currently full of “Miracle escape” articles, which is clearly a big hook for readers) the only actual human interest is that of the video uploader wanting to make some money. Both Blogspot sites listed (latestupdatedailynews(dot)blogspot(dot)com and jhonsryo(dot)blogspot(dot)com) take the end-user to wonderfully inappropriate survey questions, complete with smiley face.

Click to Enlarge

The other two sites – lossifnotsee(dot)com and flashvideonews(dot)com – both launch installer prompts for Hotbar, along with a few pieces of pre-ticked software including ShopperReports and Blinkx Beat.

Click to Enlarge

Not quite the “Miracle Stories” I was expecting. As with most Youtube scam clips, you’ll know something is not quite right whenever you see one of those “We can’t play the video here due to copyright reasons, visit our website instead”. Don’t bother.

Christopher Boyd

“Is this legit”?

Good question. Everybody wants to help Japan right now, but as you can imagine scammers are out in force. It’s hard for people to tell what’s real and what’s a fakeout, so we’re going to take a look at the site mentioned above. It’s called helpjapan(dot)jp, and looks like this:

Click to Enlarge

As you can see, it sports a version of the Japanese Red Cross Society logo, but doesn’t carry any of the copyright notices, information or contact details of the real thing. Notice that the real thing has a very specific way of accepting donations, unlike the above site which is asking for Paypal and Alertpay donations (the Japanese Red Cross society also accepts payment via Google Checkout, through this page – and the details listed there don’t appear anywhere on this particular site at payment or elsewhere either).

The Paypal link takes you to a German language donation page:

Click to Enlarge

A site sporting Japanese Red Cross logos yet asking for Paypal donations is very curious, because as this news article from yesterday mentions, the Japanese Red Cross Society DO NOT accept Paypal at this moment in time – yet strangely, we have a site here claiming otherwise.

The Alertpay page gives us this:

Click to Enlarge

At the top, you can see the payment system is being used by someone called “Cassidy Mozes”. The savejapan.jp domain was registered on the 12th of March:

Click to Enlarge

The address listed above isn’t the address of the Japanese Red Cross, and the closest location I can find from the Whois above appears to be a vintage record collector. Additionally, the only reference to the above email address seems to be here, on a pay to click forum.

Is this legit? Well, it doesn’t seem to be registered to the Japanese Red Cross, sports no official information, has a collection of “news articles” that are simply links from a feed, accepts Paypal donations under a Red Cross banner which the legitimate URL doesn’t process yet, seems to indicate that 60,000 people have donated more than three million dollars via the site (which is clearly impossible) and doesn’t have any links in search engines or elsewhere confirming reliability.

We’ve contacted the Japanese Red Cross to see if they know anything about this, and will update when we hear back. In the meantime, just be aware that there are plenty of scams which are strikingly similar to the above example from Symantec (that one sports an American Red Cross badge – it’s almost like there’s a pattern forming), and while I’d hate to steer people away from a genuine donation site, I’d strongly advise to only give money through tried and tested channels.

You’re risking throwing money into the void otherwise, and that certainly isn’t going to help anybody in Japan.

Christopher Boyd

It seems discussing the rather grim situation in Japan has inevitably resulted in tasteless spambots primed to sniff out mentions of said disaster.

Click to Enlarge

The links being spammed lead to a site called radiationhealth(dot)com, which was apparently only registered today and is promoting an eBook. Because as we all know, an eBook is the first thing you’ll reach for during a nuclear emergency.

Click to Enlarge

The eBook costs $19.95, and the payment page mentions leansecret(dot)com as being the individuals you’d be giving your money to. That site has been around since January, but currently has no content other than a landing page and uses the same Whois privacy service as the site promoting “Radiation health” eBooks.

I can’t see this being very popular, unless you count having all of your Twitter spambots blocked and reported for spam as a measure of popularity.

Christopher Boyd

Let’s take a look at the latest in long line of fake stalker apps on Facebook.

This one is called “Profile Update”, and makes a number of claims in relation to tracking vistors while changing your profile background. “Change your background and see your stalkers”, they claim – installing their update will let you see who is stalking you.

Click to Enlarge

Click to Enlarge

If you agree to their terms of service (which are rather long and mention Singapore as being the base of operations for this one) you’ll be prompted to install the rogue application when logging in, giving access to your basic information, granting wall posting rights and letting it “access your data anytime”.

Click to Enlarge|

You’ll also be prompted to fill in the inevitable survey, which randomly decides to talk about “Profile Peekers 2.0” instead of “Profile Update”. It’s almost like they’re making it up as they go along.

Click to Enlarge

While you’re busy signing your life away to coupons, fruit snack offers and fabric conditioner trials your wall will start to look like this:

Click to Enlarge

Before the police come and take me away for questioning, I should mention that some of the URLs involved are foksrox21(dot)info and wurstbrota(dot)info. Please don’t be fooled by these stalker apps – scams such as these have been around since the days of Myspace, and they didn’t work then either. Wurstbrota is still live, but the foxrox URL currently redirects to a Formspring page. The rogue application seems to be currently unavailable too, so hopefully this is in the process of being shut down.

Christopher Boyd

This time around, the URL is japan-tsunami-whale(dot)info, and it looks like this when spreading on the walls of Facebook users:

Click to Enlarge

Here is the site promoting the (fake) “graphic video”:

Click to Enlarge

As you can see above, the cut and paste template says “FB Video” instead of the now familiar “FouTube” but rest assured it’s a scam all the same. The site was registered yesterday to one “mark van dam” in Switzerland, and will ask you to compare auto insurers or play frogger to see the content.

There are no words…

Christopher Boyd (Thanks to Matthew for sending this over).

Ransomware that demands money so you can access your files is a popular tactic, and here we have another example of this extremely shady practice.

The end-user is presented with a fake warning message from theflowerzf(dot)info, using browser specific messaging that’s recently become popular.

Click to Enlarge

“Install the update for Internet Explorer”, they say. What they don’t tell you is that this IE upgrade will lock you out of your PC with the following horror-story message:

Click to Enlarge

Yes, things are generally looking pretty bad when yellow police tape has been stuck to your monitor. The victim is told they have commited network crime, and that 19 files have been found related to “unlicensed software, movies and music” and “materials with pornographic content (including homosexual content pornography)”, and that this will be serving as material evidence in a court.

They’re given twenty four hours to do something about it, lest their information be sent to a police department and all content on the PC be blocked until arrest.

Charming.

This is how they want the victim to get out of the situation:

Click to Enlarge

The unfortunate individual has to phone one of the numbers listed to obtain an activation key, then punch it into the spaces at the bottom of the screen. As you might imagine, this is going to cost some money (and I’m not sure I’d trust the price listed…or even if they’ll give control of the PC back once the cash has changed hands).

We detect this as Win32.Malware!Drop. Thanks to Patrick for finding this one.

Christopher Boyd