A friend of mine caught the so-called BKA Trojan, and asked me to help him remove it.
This trojan makes using Windows impossible, as it displays an official-looking statement (see sample) if connected to the Internet, and only a white empty desktop if not connected, and does not allow any user action. The only way to revert to normal is supposedly by sending money using PaySafeCard or Ukash.
The warning page (which is full of typos, even in the heading: “Investignation”) lists a couple of possible Internet crimes that have been committed and caused the “computer” to be locked by law enforcement, and unlocking is as easy as sending 100€ via the linked payment providers.
What to do?
We started Windows in command-line safe mode and started msconfig to find suspicious start-up entries, unfortunately without any obvious success.
By cd’ing and dir’ing around we found the date and time the infection took place. The temp directory C:\Users\[username]\AppData\Local\Temp contained an executable with a “funny” name (5628386cos7655422.exe), an HTML file and a couple of images.
Some removal tips mention the Shell setting in the registry, and we had another look using regedit (which can also be called from the win7 command line boot).
the Shell key contained the following string:
This seemed suspicious, as it should only contain “explorer.exe”, and nothing more.
The next steps were pretty straight-forward: clean the Shell key to read “explorer.exe” only, remove the msconfig.dat, and reboot back to normal.
Surprisingly, the Trojan does not seem to contain any sophisticated survival code (such as copying itself all over the boot disk, planting several hooks in the registry, run a watchdog, etc) – things that can make malware removal a nightmare.