In association with heise online

13 April 2010, 13:06

Trojan threatens legal action

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom On German PCs, for example, the text is apparently displayed in German.
A number of anti-virus software vendors are reporting a particularly brazen piece of ransomware. It claims to be an anti-piracy scanner and to have discovered copyrighted files – torrent files to you and me – on the victim's computer. It pops up a big window listing the files found and warning of potential legal consequences for the user. The trojan finds its way onto victims' computers via scareware websites, although users apparently download and install it themselves.

According to analysis by Dancho Danchev, the trojan does in fact genuinely search the hard drive for torrent files and displays a list of any files found. The pop-up window is even localised for different countries and can display the dialogue text in German, Danish, Dutch, French or Italian, as well as other languages.

The windows can be ignored and closed, but they reappear when the computer is restarted. The trojan also replaces the background image with an image containing the words "Warning! Piracy Detected".

Zoom The warning text aims to add weight to the trojan's demands.
The trojan proposes an out-of-court settlement on behalf of a fictional copyright organisation called the "ICPP Foundation", to which the user is invited to pay $400. Otherwise, the victim is threatened with having the data collected from their PC forwarded to the courts, which, it states, can impose sentences of up to five years in jail or hundreds of thousands of dollars in fines.

If the victim decides to take up the invitation to pay $400, he or she is directed to a website claiming to belong to the ICPP Foundation, where they are able to make a credit card payment. According to F-Secure, the website is merely a system for collecting credit card details and is not connected to an actual payments system.

F-Secure also notes that the trojan sometimes conceals itself as iqmanager.exe in C:\documents and settings\USERNAME\application data\IQManager\. F-Secure detects the trojan as W32/DotTorrent.A

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit