14/12/2011
18:22

Trojan.Win32.FakeGdF.A

A Virus that pretends to be the italian governamental agency "Guardia di Finanza", it blocks the PC asking for a 100€ ransom.

Description

Trojan.Win32.FakeGdf.A is a malware that blocks the PC entirely, it then links to a russian website  (hxxp://83.69.236.38), showing the following fake notification from "Guardia di Finanza":


This website will occupy the entire screen, and will not permit any interaction with the computer. The user will just have the possibility to insert payment pin codes  for Ukash or Paysaysafe circuits or in alternative to send a mail to "deposito@cyber-gdf.net".
The russian website show Guardia di Finanza's logo, notifying the user that from some illegal operations have been done from his PC, such as:
  • Pedopornography download
  • "Terroristic" spam send
At this point the PC is blocked and to restore it the website asks for a 100€ fine using Ukash or Paysafecard circuits.
On the page you can see payment instruction for the two payment systems, if the payment gives an error the malware site recommends to send an email with the pin codes at deposito@cyber-gdf.net.

Naturally, the fine is just an excuse to steal money from the user, and all sentences and information shown in the website are false and fraudulent. In these cases you shouldn't pay any amount of money.
Clearly, any law enforcement agency, like Guardia di Finanza, would never ask to pay a fine by blocking the PC, it would be completely illegal, if the user insert codes inside the forms no web page is shown and no action are taken to unlock the computer. The money paid would just go to the robber andthe computer would stay into the same situation as before.

The responsible for the block of the computer is Trojan.Win32.FakeGdf.A that copy itself  with the the name WPBT0.DLL inside the Temp folder in local settings:
%user%\IMPOSTAZIONI LOCALI\TEMP\WPBT0.DLL
 

File Name: WPBT0.DLL
Size: 174592 byte
MD5 37f939b59edce18204f3db1fc18e79ff
Compressed file: UPX
File Time Stamp: 17/07/2011 21.58.49
Autorun key: From the start menu (%user%\Menu Avvio\Programmi\Esecuzione automatica\wpbt0.dll.lnk



Trojan.Win32.FakeGdf.A to be executed at the startup create the file wpbt0.dll.lnk inside Windows' start menu. wpbt0.dll.lnk then executes Rundll32.exe to load malware's DLL.

C:\WINDOWS\SYSTEM32\RUNDLL32.EXE %user%\IMPOST~1\TEMP\WPBT0.DLL,SUPPS

It is noteworthy that the timestamp reports 17th July 2011 as the time where the virus was compiled.

After the decompression of wpbt0.dll, we can retrieve the following informations:

  • dialog box (10 dialog box)
  • AVI (da 967 byte, not working)
  • Versione

Versione del file:

CompanyName: Packard Bell BV

FileDescription: Creek Two Chasm Coven Braid Fluid

FileVersion: 9.10

InternalName: Tamer Hunk Molly Vital Migs Hula

LegalCopyright: Jamb Flank Well Stacy 2001-2008

OriginalFilename: Curve.exe

ProductName: Oars Axiom Coos Foamy Rack

ProductVersion: 9.10

Project name is Sleds.dll

New variants of Trojan.Win32.FakeGdF that use random names have been discovered, they name the file like this:

0.[random name].exe

Here are some examples:

  • 0.8255788870080162.exe
  • 0.08359725163032683.exe

Trojan.Win32.FakeGdF.A removal:

Reboot the computer into safe mode with networking (press F8 repeatedly before windows startup).

  • Launch VirIT eXplorer and update it to version 7.0.50 or later. Close Virit.
  • Re-launch VirIT eXplorer (now the title of the window will show version 7.0.50 or later) , click on Scan->Search to perform a deep search on the PC to remove the virus.

During VirIT's scan it's possible that other files (different from wpbt0.dll)  will be found infected from Trojan.Win32.FakeGdF.A

It is possible to manually remove the virus with the following steps:

  • Remove the file: %user%\Start Menu\Programs\StartUp\wpbt0.dll.lnk
  • Remove the file: %user%\Local Settings\TEMP\WPBT0.DLL

For the other Trojan.Win32.FakeGdF variants:

  • Remove the file: %user%\Start Menu\Programs\StartUp\0.[random name].exe.lnk
  • Remove the file: %user%\Local Settings\TEMP\0.[random name].exe

 

where %user% :
  • c:\documents and settings\<username> per Windows 2000/Xp e Server 2003
  • c:\users\<username> per Windows Vista/7 e Server 2008

 

Variants

Name

Size

MD5

Website IP

Time stamp

Trojan.Win32.FakeGdF.A

174592

37f939b59edce18204f3db1fc18e79ff

83.69.236.38

17/07/2011 21.58.49

Trojan.Win32.FakeGdF.B

203264

1d10fb2bb8fac1122e2452975acfb701

31.31.200.105

14/12/2011 09.35.29

Trojan.Win32.FakeGdF.C

203264

58bca204698ff459697e6c1d9b8a5519

31.31.200.105

14/12/2011 15.34.14

Trojan.Win32.FakeGdF.D

180736

ef9b87a2780047307ac6c7280dc5feff

78.47.58.6

12/01/2011 09.08.08

Trojan.Win32.FakeGdF.E

194048

d0d0b5b6023d7534e05e44d18e7e11e1

78.47.58.6

15/12/2011 16.21.14

Trojan.Win32.FakeGdF.F

203776

78900f3e233ac18e29795bf0381526c9

85.17.168.194

11/12/2011 20.43.32

Trojan.Win32.FakeGdF.G

182272

750d4b7b1b0278b34f3afe15d81df559

46.161.31.157

26/06/2011 08.22.02

Trojan.Win32.FakeGdF.H

171008

b9a08f4e586f278e2c3420676bcde367

64.120.143.226

14/03/2011 10.04.03

Trojan.Win32.FakeGdF.I

193024

ec31d1eef414fefa17fef71573dd62f1

64.120.143.226

09/04/2011 13.07.01

Trojan.Win32.FakeGdF.J

179200

76376367a43a2ac4e718ca6fc8932648

83.69.236.38

14/05/2011 11.16.59

Trojan.Win32.FakeGdF.K

184320

3f657024d7a7e9da7215df7f87982df6

85.17.168.194

26/03/2011 08.38.56

Trojan.Win32.FakeGdF.L

165376

4b6de49e05c9c27892f465ac663b387f

64.120.143.226

28/02/2011 05.29.55

Trojan.Win32.FakeGdF.M

185344

26caa122cc0d01f788af005ea0135d08

64.120.143.226

14/03/2011 07.02.45

Trojan.Win32.FakeGdF.N

185856

d3b6c37e2de28822aae217b5e8b85d68

62.76.190.68

14/06/2011 09.30.20

Trojan.Win32.FakeGdF.O

204288

102ac369ffb35df07fb0ead427e45955

78.47.15.197

15/07/2011 02.33.58

Trojan.Win32.FakeGdF.P

195584

fc6042028b7b552cb2b2b09e8a28e550

78.47.15.197

27/04/2011 01.43.55

Trojan.Win32.FakeGdF.Q

190464

73e8702fcb76dfb5dbf1a6ba48ef8325

64.120.143.226

16/02/2011 19.34.00

Trojan.Win32.FakeGdF.R

199680

def27a897bff7e75155e7255083f868f

64.120.143.226

28/02/2011 16.06.38

  

Informazioni sul sito hxxp://83.69.236.38

Il falso sito della Guardia di Finanza (hxxp://83.69.236.38) situato in Russia:

IP Information - 83.69.236.38

IP address: 83.69.236.38

Reverse DNS: taratatat.ru.

Reverse DNS authenticity: [Could be forged: hostname taratatat.ru. does not exist]

ASN: 28762

ASN Name: AWAX-AS (AWAX Telecom Ltd)

IP range connectivity: 1

Registrar (per ASN): RIPE

Country (per IP registrar): RU [Russian Federation]

Country Currency: RUR [Russia Rubles]

Country IP Range: 83.69.192.0 to 83.69.255.255

Country fraud profile: High

City (per outside source): Moscow, Moskva

Country (per outside source): RU [Russian Federation]

Private (internal) IP? No

IP address registrar: whois.ripe.net

Known Proxy? No

Informazione da WHOIS:

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '83.69.236.0 - 83.69.236.255'

inetnum: 83.69.236.0 - 83.69.236.255

netname: AWAX-HOSTING-NET

descr: "LTD AWAX Telecom"

remarks: ********************************************

remarks: * Contact *****@hostline.ru *

remarks: * for spam or other abuse matters. *

remarks: ********************************************

country: RU

admin-c: AVG6-RIPE

admin-c: SVG217-RIPE

tech-c: AVG6-RIPE

tech-c: SVG217-RIPE

status: ASSIGNED PA

mnt-by: AWAX-MNT

changed: ***@awax.su 20110526

source: RIPE

person: Andrei V Gasov

address: LTD AWAX Telecom

address: Moscow, Orlovo-Davydovsky per., 2/5 str

address: 129110 Moscow

address: Russia

phone: +7 495 6264747

fax-no: +7 495 6264747

e-mail: ***@hostline.ru

nic-hdl: AVG6-RIPE

mnt-by: AWAX-MNT

changed: ***@awax.su 20110526

source: RIPE

person: Sergey V Grenivetskiy

address: LTD AWAX Telecom

address: Moscow, Orlovo-Davydovsky per., 2/5 str.

address: 129110 Moscow

address: Russia

phone: +7 495 6264747

fax-no: +7 495 6264747

e-mail: **@hostline.ru

nic-hdl: SVG217-RIPE

mnt-by: AWAX-MNT

changed: ***@awax.su 20110526

source: RIPE

% Information related to '83.69.232.0/21AS28762'

route: 83.69.232.0/21

descr: NOC

origin: AS28762

mnt-by: AWAX-MNT

changed: ***@awax.su 20091005

source: RIPE

% Information related to '83.69.236.0/24AS28762'

route: 83.69.236.0/24

descr: NOC

origin: AS28762

mnt-by: AWAX-MNT

changed: ***@awax.su 20110124

source: RIPE

  

Informazioni sul sito hxxp://31.31.200.105

IP Information - 31.31.200.105

IP address: 31.31.200.105

Reverse DNS: my.nononononon.ru.

Reverse DNS authenticity: [Could be forged: hostname my.nononononon.ru. does not exist]

ASN: 0

ASN Name: IANA-RSVD-0

IP range connectivity: 0

Registrar (per ASN): Unknown

Country (per IP registrar): RU [Russian Federation]

Country Currency: RUR [Russia Rubles]

Country IP Range: 31.31.192.0 to 31.31.207.255

Country fraud profile: High

City (per outside source): Unknown

Country (per outside source): RU [Russian Federation]

Private (internal) IP? No

IP address registrar: whois.arin.net

Known Proxy? No

  

Informazioni sul sito hxxp://78.47.58.6

IP Information - 78.47.58.6

IP address: 78.47.58.6

Reverse DNS: xen1.it-mcp.ru.

Reverse DNS authenticity: [Could be forged: hostname xen1.it-mcp.ru. does not exist]

ASN: 24940

ASN Name: HETZNER-AS (Hetzner Online AG RZ)

IP range connectivity: 2

Registrar (per ASN): RIPE

Country (per IP registrar): DE [Germany]

Country Currency: EUR [euros]

Country IP Range: 78.46.0.0 to 78.47.255.255

Country fraud profile: Normal

City (per outside source): Unknown

Country (per outside source): DE [Germany]

Private (internal) IP? No

IP address registrar: whois.arin.net

Known Proxy? No

 

 
Informazioni sul sito hxxp://85.17.168.194

IP Information - 85.17.168.194

IP address: 85.17.168.194

Reverse DNS: [No reverse DNS entry per ns0.leaseweb.nl.]

Reverse DNS authenticity: [Unknown]

ASN: 16265

ASN Name: LeaseWeb (LEASEWEB AS)

IP range connectivity: 6

Registrar (per ASN): RIPE

Country (per IP registrar): *E [[RIPE Unlisted]]

Country Currency: Unknown

Country IP Range: 85.0.0.0 to 85.255.255.255

Country fraud profile: Normal

City (per outside source): Amsterdam, Noord-Holland

Country (per outside source): NL [Netherlands]

Private (internal) IP? No

IP address registrar: whois.ripe.net

Known Proxy? No

Link for WHOIS: 85.17.168.194

 

 
Informazioni sul sito hxxp://46.161.31.157

IP address: 46.161.31.157

Reverse DNS: vds.srv7.majorhost.net.

Reverse DNS authenticity: [Could be forged: hostname vds.srv7.majorhost.net. does not exist]

ASN: 0

ASN Name: IANA-RSVD-0

IP range connectivity: 0

Registrar (per ASN): Unknown

Country (per IP registrar): RU [Russian Federation]

Country Currency: RUR [Russia Rubles]

Country IP Range: 46.161.0.0 to 46.161.63.255

Country fraud profile: High

City (per outside source): Unknown

Country (per outside source): RU [Russian Federation]

Private (internal) IP? No

IP address registrar: whois.arin.net

Known Proxy? No

Link for WHOIS: 46.161.31.157


Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft

 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: