16/05/2012
11:51

After italians public security agencies such as "Guardia di Finanza", the Italian Police and "Carabinieri", now also S.I.A.E. asks for a ransome!


A new variant of the infamous Trojan.Win32.FakeGdf has appeared! This new version intimate the user to pay a ransom by accusing him of having downloaded and reproduced illegal music.
Started with the fake "Guardia di Finanza" page, that intimated the user to pay for a 100€ fine for having downloaded pedo-ponographic material, the FakeGdF virus added "S.I.A.E." italian society to the long list of agencies that "fines" users for illegal acts. In this case it fines the user for 100€ for having downloaded copyrighted music.
 

Obviously, informations reported in the page are totally fake and you shouldn't believe them nor pay the fine.
The trick is always the same: use user's panic to force him to pay the fine for the fear of heavier consequences. In this particular case the "unlock tax" is worth 100€ and will grant the user protection from other penal consequences.
We can see an example page to the right.

Clicca per ingrandire l'immagine

Usually the file present itself with the name BSI.bund.exe, and gets executed from the Application Data folder of the user that was logged in at the moment of the infection.

The malware will edit the following registry keys to start everytime the PC gets rebooted:

[HKLM\Software\Microsoft\Windows NT\Winlogon]:
[shell] = %AppData%\BSI.bund.exe
[userinit] = %AppData%\BSI.bund.exe, C:\Windows\system32\userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]:
[nome_casuale] = %AppData%\BSI.bund.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]:
[nome_casuale] = %AppData%\BSI.bund.exe


where %AppData% = C:\Documents And Settings\{nome_utente}\Dati Applicazioni

Just in case you find yourself into this situation, it would be useful to know that it's possible to get ahead of the problem by restarting the PC in safe mode (by pressing F8 at the PC power ON, before windows startup) and then launch a deep PC scan with Vir.IT eXplorer (updated to the last version).
Once the scan has finished, go under the "Tools" section of Vir.IT eXplorer and select "Fix IE + Windows Settings" to restore windows keys modified by the malware.
It's also necessary to restore desktop icons that this version hide.
To restore destop icons just right click on a empty point of the desktop then select "View-> Show desktop icons" from the menu.


TG Soft gives you the possibility to download the Free version of Vir.IT eXplorer, interoperable with other antiviruses presents on the PC, very light and with one of the lowest CPU consumption on the market, FREE and completely translated in ENGLISH. Check it on this download page. Download Vir.IT eXplorer Lite: l'AntiVirus gratuito e liberamente utilizzabile


If the malware have disabled the safe mode, and it usually does, Vir.IT eXplorer PRO users can ask for technic assistance reserved to them to completely remove the malware.
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: