Search This Blog

Saturday, February 16, 2013

Ured Za Posebne Poslove Sigurnosti virus

Ured Za Posebne Poslove Sigurnosti’ warning is not associated with the Police of Croatia and its Ministarstvo unutarnjih poslova Republike Hrvatske. Instead, this is a brand new ransomware program that strikes many computers in Croatia today. This ransomware locker belongs to the Urausy virus family and is very dangerous and hazardous. It locks computer’s desktop with its own scary background, supposedly coming from Ministarstvo unutarnjih poslova Republike Hrvatske. The locker has in mind to scare users into believing that they’ve done something illegal while using their workstations. Here is what the text of the ransomware’s message says in Croatian:

Ministarstvo unutarnjih poslova Republike Hrvatske
Ured Za Posebne Poslove Sigurnosti
Zapovjedništvo specijalne policije
PAŽNJA! Vaš kompjuter je blokiran zbog barem jednoga od razloga navedenog u nastavku.
Tu su kršenja «autorskom pravu i srodnim pravima u području prava« (video, glazba, softver) i protuzakonito korištenje ili distribuiranje sadržaja zaštićenih autorskim pravima, čime se krši članak 128. Krivičnog Zakona Republike Hrvatske.
Članak 128. Krivičnog Zakona predviđa novčane kazne od 200 do 500 minimalnih mjesečnih plaća ili oduzimanjem slobode od 2 do 8 godina.
Gledanje ili distribuiranje pornografskog sadržaja je zabranjeno (Dječja pornografija/Zoofilija i tako slično). Tako se krši članak 202 Krivičnog Zakona Republike Hrvatske.
Članak 202. Krivičnog Zakona predviđa oduzimanje slobode od 4 do 12 godina.
Ilegalni pristup kompjuterskih podataka je pokrenut sa kompjutera ili ste pokrenuli...
Članak 208. Krivičnog Zakona predviđa novčanu kaznu do HRK 100.000 ili oduzimanjem slobode od 4 do 9 godina.
Ilegalni pristup je pokrenut sa kompjutera bez vašeg znanja ili pristanka, vas kompjuter može biti zaražen zlonamjeran softverom, tako da se krši Zakon o nemarnom korištenju osobnog kompjutera.
Članak 210. Krivičnog zakona predviđa novčane kazne od HRK 2.000 do HRK 8.000.
Spam ili drugo širenje ilegalne reklame bilo je učinjeno sa vašeg kompjutera sa ciljem dobitka ili bez vašeg znanja, vaš kompjuter može biti zaražen štetnim programima.
Članak 212. Krivičnog Zakona predviđa novčanu kaznu do HRK 250.000 i oduzimanje slobode do 6 godina. U slučaju da je ova aktivnost izvršena bez vašeg znanja, što potpada pod spomenutom člankom 210. Krivičnog Zakona Republike Hrvatske.
Vaša osobnost i adresa trenutno identificirani, kažnjeni postupak će se pokrenuti protiv vas od jedan ili više navedenih gore članaka u narednih 72 sati.
Temeljem izmjena i dopuna Krivičnog Zakona Republike Hrvatske od 04. veljače 2013 je kršenje zakona (ako se ne ponovi- prvi put) može se smatrati uvjetno u slučaju ako se plati novčana kazna državi.
Kazne mogu biti plaćeni u roku od 72 sati nakon povrede. Čim 72 sati protekne, mogućnost platiti kaznu istekne, a kazneni postupak protiv vas automatski se pokreće u narednih 72 sati
.

As you see, the text of accusation is quite scary. The locker says that users were traced of watching a lot of explicit sinful content on the Web, downloading illegal copies of software, audio and video files with violation of copyrights of their owners, sending massive unsolicited spam and performing a lot of other illegal activites. This virus also uses the logo of EC3 Europol, however, it is not associated with Europol agency at all. The reason why this logo is used is because Croatia is to become the member of the European Union as of July 01, 2013. Before we didn't see any ransomware locker that would be targeting Croatia in particular. So far, this is the first version of this country-based locker developed by the pack of cyber frauds.

The mission of online hackers is to earn money with unfair methods. Speaking about this particular ransomware locker, they plan to convince users to pay the fine (ransom) supposedly in favor of the Croatian budget. But the thing is that money doesn't go into the state treasurey. The funds go directly into the pockets of the crooks. So, don't ever pay any money via Ukash or Paysafecard payment systems as instructed by this malware. Doing so is a serious mistake! Instead, please follow the malware removal guidelines outlined below.

Screenshot of Ured Za Posebne Poslove Sigurnosti virus:

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site http://trojan-killer.net/download.php and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware's background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with ransomware virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware to infect your PC.

Automatic removal video:

Ransomware manual removal milestones (optional and might not be effective):

  1. Restart your system into "Safe Mode with Command Prompt". While the PC is booting press the "F8 key" continuously, which should present the "Windows Advanced Options Menu" as presented in the image below. Apply the arrow keys in order to move to "Safe Mode with Command Prompt" and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word "explorer", and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  3. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word "regedit" and hit Enter button of your keyboard. The Registry Editor should open.
  4. Find the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ In the right-side panel select the registry entry named Shell. Right click on this registry key and select "Modify" option. Its default value should be "Explorer.exe". However, ransomware did its job, and so after you click "Modify" you would see totally different value of this registry entry.
  5. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware is located.
  6. Modify the value of the registry entry back to "explorer.exe" and save the settings of the Registry Editor.
  7. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, ransomware's virus file was located and running from the Desktop. There was a file called "contacts.exe", but it may have different (random) name.
  8. Get back to "Normal Mode". In order to reboot your PC, when at the command prompt, type-in the following phrase "shutdown /r /t 0" (without the quotation marks) and hit Enter button.
  9. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Manual removal video:

Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"

No comments:

Post a Comment