<<<
Monday, April 12, 2010
>>>
 
ICPP Copyright Foundation is Fake Posted by Mikko @ 08:47 GMT

There's a new extortion trojan in circulation.

This one attempts to steal victims' money by bullying them to pay a "pre-trial settlement" to cover a "Copyright holder fine".

The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents from the system. If he won't pay $400 (via a credit card transaction), he might face jail time and huge fines.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

And the warnings will not go away. They will reappear every time the user reboots his system.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

All of this is completely fake. There is no "ICPP Foundation", and the messages will appear even if the system contains no illegal material whatsoever.

Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.

The group behind this have even set up an official-looking website at icpp-online.com.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

The domain is registered to Mr. "Shoen Overns". The same e-mail address ovenersbox@yahoo.com has been seen before in various other domains, connected to Zeus and Koobface scams.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

If you click on the Reports shown by the application, you'll end up on pages such as these:

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

We tried calling the (Italian) phone number listed on the page: +39 (06) 9028 0658. Unsurprisingly, it goes nowhere.

a co-project by ICCP Foundation / ICPP Foundation - Copyright violation: privacy content detected

These pages are hosted at 91.209.238.2, which according to WHOIS belongs to EBUNKER-NET, a "High protected Somalia network". It's running in Moldova.

This is what the payment page looks like:

iccp7

There is no obvious credit-card payment system connected to the site; they just seem to collect the credit card information.

If you are hit by this trojan, DO NOT PAY. Instead, use an antivirus program that is capable of detecting it to remove the trojan. F-Secure Antivirus detects it as Rogue:W32/DotTorrent.A. You can use our free Online Scanner at ols.f-secure.com to check your system.

The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We've seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.






<<< Trojanised Mobile Phone Game Makes Expensive Phone Calls
|
Automated Updates >>>