This full-screen view doesn't permit any interaction with the infected pc. The user can only insert paysafecard or Ukash pin codes.
The webpage shows Bundes Polizei's logo, and notice the user that the following illegal operations have been performed from his pc:

• Download of pedopornographic material;
• "Terroristic" spam sending ;
• Other illegal activities.

If the payment system gives some errors, the malware recommends to send a mail with Ukash or Paysafecard codes to info@stopkriminal.net so they won't loose any possible payment.
Naturally, the fine is just an excuse to steal money from the user, and all sentences and information shown in the website are false and fraudulent. In these cases you shouldn't pay any amount of money.
We never heard about these kind of fine application by the Bundes Polizie, and we don't think it will ever be possible that a law enforcement agency could ever do something like that, not only because it would be unethical but also because it would be illegal.
If we fill Ukash or paysafeCard forms inside the page we will not be redirected to any page nor our pc will be unlocked any time soon.The money paid would just go to the robber and the computer would stay into the same situation as before.

Fortunately, this virus is written in a not-so-good italian so we think that the user wouldn't believe it very easily, at least in our country. The Social-Engineering approach in this case seems to be very rough and unrefined but with a better-done multilanguage approach we do think this virus could gain some good money.
Also, Ukash and paysafecard, even if they are available in Italy, are not well diffused. This, for now, could give us another passive protection from massive payments to robbers' accounts. In a news, a bit generic, of the 23rd December 2011, Ukash official site tries to beware users about possible frauds.

From a technical point of view, differently from Trojan.Win32.FakeGdf.A,  BunPolizei.A starts and blocks the PC bith in "normale" mode and in Safe Mode complicating the removal of the virus even to more acknowledged technicians out there, that could format the computer without further analyzing the problem.
Trojan.Win32.BunPolizei.A's installation into the computer brings to a complete block of it. The Trojan copy itself with a random named .EXE file, in the analyzed case the file name was mahmud.exe

File name:	mahmud.exe
Size:	207360 byte
MD5	89c7b959e1146673515a66736b1ce11b
Compressed file format:	UPX
File Time Stamp:	13/03/2011 05.30.26

Trojan.Win32.BunPolizei.A attacks the computer in different ways wether the file has been executed with Administrator rights or not:

Case 1
Trojan.Win32.BunPolizei.A DOES NOT have Administrator rights, it edits the following registry key:
HKEY_CURRENT_USERE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[avupdate] = %userprofile%\Application Data\mahmud.exe

Case 2
Trojan.Win32.BunPolizei.A DOES have Administrator rights, it edits the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Shell] = %userprofile%\Application data\mahmud.exe



Trojan.Win32.BunPolizei.A Removal

Case 1

Reboot the PC in safe mode without networking (repeatedly pressing F8 before windows boot).

Launch VirIT eXplorer and update it to 7.0.58 version or later. Close VirIT.
Re-Launch VirIT eXplorer (window's title will show 7.0.58 or later) , click on Scan->Search to perform a deep scan on the PC to remove the virus.

During VirIT scan it's possible that more than one file will be found infected by Trojan.Win32.BunPolizei.A

It is possible to manually remove the virus:

    On Windows 2000/XP/Server 2003:

    Delete the file: %user%\Application Data\mahmud.exe or [random name].exe

    On Windows Vista/Seven/2008:

    Delete the file: %user%\Appdata\roaming\mahmud.exe or [random name].exe

Launch regedit and select the following registry key:
HKEY_CURRENT_USERE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the value: avupdate


Case 2

Restart the PC in safe mode with command prompt  (repeatedly pressing F8 before windows boot).

If VirIT is updated it is possible to launch the scan with dos commands, alternativerly you can pass to manual removal:

PRO Version:

  cd c:\viritexp
  viritexp.exe

Lite Version:

  cd c:\vexplite
  viritexp.exe

Manual removal

It is possible to manually remove the virus by following these steps (in our case the filename is mahmud.exe):
 
 1) From the command prompt write: regedit.exe (dopo premere invio)
 2) Select the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      Double click on: shell
      edit:  %user%\application data\mahmud.exe

           in: EXPLORER.EXE

 3) quit regedit
 4) Delete the infected file with the following DOS commands:

   on Windows 2000/XP/Server 2003:

   cd "Application Data"
   del mahmud.exe

  on Windows Vista/Seven/2008:

   cd Appdata
   cd roaming
   del mahmud.exe

 5) Restart the pc using this command:
      shutdown -r -t 0

 where %user% :

    c:\documents and settings\<username> for Windows 2000/Xp and Server 2003
    c:\users\<username> for Windows Vista/7 and Server 2008

 
Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft

Every information posted on this site can be reblogged or reused on any other site, provided that you will always quote us:  "C.R.A.M. by TG Soft www.tgsoft.it"