UKash - Metropolitan Police Virus Scam

[123Simples]

UKash - Metropolitan Police Virus Scam is doing a re-run in the UK, and recently hit one of our customers PC's who was very distressed and upset by the experience. I'm only posting this is an advisory in case anyone else gets caught out with this.

Our customer (probably like many computer users) had failed to really keep his internet security up to date, but whilst surfing YouTube he clicked on an external link, and inadvertently in doing so, downloaded the Ukash virus. It is a trojan -

Basically the virus installs on your system, and then it locks the computer up with a screen saying Metropolitan Police - Your computer has been locked.
The screen information displays your computer IP and other information that might make you think (if you do have your wits about you) that this is quite a genuine thing. Obviously the giveaway is if you pay them a £100 using any of the methods show, then an unlock code will be sent to you.

This is a scam that happened a few years ago in Germany and has been modified and released again. If you type this into Google Search:

"ukash virus metropolitan police"

You will note that there have been a spate of recent attacks using this virus. Removal needs to be done with care, and using Safe Mode - even then it takes a bit of weeding out.

Just to advise anyone who may be interested.

[James1980]

I caught this yesterday, but rather serendipip.. serendillupus... rather luckily I seem to have accidentally killed it when I went to shut down my PC.

As part of the shutdown procedure it seems Windows killed the malware, but because I had an unsaved file open on my desktop, it paused and asked if I wanted to save it. I cancelled the shutdown procedure and then did a full scan with Antimalware Bytes and Windows Essential Security.

This seems to have done the trick... but I haven't rebooted my PC since. Fingers crossed and all that.

It would be interesting to know if the unlock code is the same for all PCs. I seem to recall this was the case with a piece of ransomware from a few years ago - it was something trivial like "1234".


James

[123Simples]

I think you are right on the unlock code James - it will be interesting to hear from you when you reboot the PC to see if you have killed it, or it is just hiding somewhere

My advice would be (just to make sure) is to boot up in Safe Mode with Command Prompt, do a complete MalwareBytes Scan and Anti Virus check. From what I can see this virus can be awkward inasmuch it has maybe changed how it does work because there seems to be so many conflicting ideas on how to find it/remove it.

[iXtremeLuke]

I got this Trojan an hour ago, It go removed with Maleware Bytes, It locked my computer down but I simply press Shut Down and the computer closed all programs except Avast and Explorer.exe

[TonyHarbon]

One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!



Tony Harbon

[123Simples]

Quote:

Originally Posted by TonyHarbon

One further cautionary tale is that trojans like to bring their friends along to play when you inadvertantly download them onto your PC. Our standard practice is to reformat the hard drive and re-build a PC that gets infected with a trojan because it's the only way that you can be sure that you are not now part of a Botnet!



Tony Harbon

I do agree - if I feel that the system has been compromised in this way, I would almost certainly reformat the hard drive. I would also suggest that if a hard drive is partitioned, that a thorough scan is run after the format procedure. If in doubt clear everything out and start afresh.

[Bill1954]

I agree with the formatting advice, and a full format not just a boot sector format, but rebuilding the whole PC seems abit like overkill.

[123Simples]

I would guess (or hope) that Tony meant re-building the software side of it as yes there is no reason to literally REBUILD the whole hardware side of it at all - that would be overkill

[rachaelx]

I know this is probably a long shot but I just wanted to post my experience on the off chance that the horrible, selfish, thuggish people that started this scam read others experiences for the fun of it.

I hope they do. This thread would be really helpful if I had been able to see it before my computer was hijacked.
It was my fathers funeral last week, which I had to pay for with the money I had saved up for Christmas. Then, my computer came up with that sick horrible virus and I panicked, assuming my son had clicked on some website accidently. I paid the £100, and when that didn't resolve the situation I realised it was a scam. I then had to pay a further £60 to get a technician to remove the virus.
I literally now have no money for christmas. Instead, my money is in the pockets of those horrible people that set this up. My kids wont have a proper christmas dinner and I cant buy the presents I was planning on getting them. I feel really sick that this has happened to me with everything else that has gone on this month.
I hope whoever did this, you will read this and realise how it has affected my life. You don't deserve the money I have worked so hard to save this year and I know I probably wont ever get it back. I just hope that this catches up with you, and you end up in some jail with some other villans making your christmas special.

[123Simples]

Hi rachaelx

Sorry to hear about your Dad. Sadly these kind of people don't even care and that is why they do this sort of stuff. I would however advise you to contact your bank and tell them what has happened, and make sure that your bank account details are safe.
Also contact your local police and explain what has happened.

There is no such thing as a "victimless crime" and you should report this, but please do check with your bank IMMEDIATELY or whichever card issuer you may have used to pay this scum with.