Tuesday, September 11, 2012

Metropolitan/West Yorkshire Police (Ukash) Infection

This infection is commonly found in Britain suggesting that it's from the Metropilitan Police or West Yorkshire Police - though it isn't.  There have been a few instances of this infection around recently so I thought a few words about it might be helpful.

It has been around for a few years, in different countries and masquerades under different names, suggesting that it's from the FBI in America, RCMP in Canada, La policía in Spain, etc.  In fact it's not a virus in the strict sense of the term but it is a nasty infection nonetheless.

The common element is that it says that your computer has been locked because "they've" detected illegal activity on your computer - and it will generally say what sort of activity was detected such as illegal music downloads, visiting pornographic sites, etc.

It also provides you with a panel whereby you can pay your fine (currently £100) with Ukash then they will unlock your computer.  Don't do it!

Of course, it's all complete nonsense... it's just a piece of malware (now being called 'ransomware') which has got onto your computer.  It only takes a moment to realise that it's just a scam; this is just not the way our legal system works!

So what problems does it bring?

  • Firstly, it HAS stopped you using your computer (and, in fact, even if you pay them this 'fine' it won't get it back in action again).
  • It can introduce OTHER malware onto your system, causing further problems.
  • Your antivirus software will often be shut down (even once you've removed the infection)
  • It may cause your computer to run slowly, although, if you cant do anything with it, I guess that doesn't matter too much!
So far I've not come across any cases where you data is actually destroyed (YET!)

How do you get rid of it?

It can be a bit problematic to remove it since, as time has gone on, it's changed the way it works which means that if you search the web for how to get rid of it, methods you find may no longer work.

At one time it would install itself to be run as the windows shell by zapping the registry key 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = [random].exe

but that's just one of many ways that it inserts itself into your computer and even then, there can be a lot more to it than that!

It has been suggested that a full scan with MalwareBytes Anti-Malware can clear it but how do you do that if you can't run programs because of this infection!

Clearing it is generally a three phase process:-
  • Find out what it's called and where it is and how it gets run 
  • Remove the files and registry entries associated with it
  • Clean up all the mess it may have left behind
That sounds easy enough!  ;-)

You might be able to identify the rogue process by getting task manager to run and then you might be able to terminate that process to give you some sort of control, though, of course, it will come back if you reboot your machine.  Having closed it down you may be able to run a scanner which may be able to remove it.

If you are able to find the process, you should be able to discover what it called and where it is to be found.  Often it will be hidden in either your user application data folder or in the shared application data folder, but there's no guarantee.  You may find that it's been set as system, hidden and read only file and are unable to change that.

Assuming you've managed to get rid of the file (or files) you then need to clean out the mechanism which is running it.  You might find it in any of the following places:-
  • The startup folder
  • in the registry in any (or many) of
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

I'm not going into any details about these entries because if you don't know what this means then you shouldn't even be thinking of going there.  Get something wrong in the registry and you can stop your computer working totally!

If you ARE happy breaking in to the registry then you can probably gain access by booting into safe mode with command prompt and running the editor from there.  Or boot from a CD with remote registry editing capability.

In fact you can get a lot more control if you DON'T boot into your infected windows system but instead use a linux distribution... and again, if that doesn't make sense to you then it's not something you should be trying!

As for cleaning up the mess that it might leave behind, well that's rather outside the scope of this article because differing variants are reported to have done all manner of things, although the worst cases I've seen have just set the system so it's unable to run antivirus programs! 

It all seems a bit vague!

Indeed it does!  As people find and publish details of how infections work and how to get rid of them, the bad guys that create this sort of thing modify it to work in a different way, hence this posting is full of uncertainty with phrases like, 'it might be in...', 'this may clear...', etc.

Basically each infection of this nasty needs to be analysed and cleared depending on what is found.