BKA Ransomware spreading

Just a couple of days after I removed the BKA ransomware virus from a friend’s laptop, the laptop got infected again. The result looked the same, a seemingly official warning that law enforcement detected illegal files or images on the PC, and that the machine would be unlocked after payment of a certain amount of money via payment providers.

This time, however, it was not possible to remove the virus so simply, as the symptoms were different:

  • no msconfig.dat
  • a hellomoto directory under \Users\****\AppData\Roaming\
  • the \Users\****\AppData\Local\Microsoft\Windows\ directory contains a directory named 3 or 4 digits with an executable inside

The German-language forums trojaner-board.de and botfrei.de already contained a couple of threads (here, here, here) mentioning these symptoms, but provided no help for removing them, with reformatting and re-installing as the only solution.

Yesterday Heise News reported that the malware is spreading so fast that even the FBI issued a warning about the virus. Surf carefully!

One Response to BKA Ransomware spreading

  1. Friso says:

    I got infected again too, so I was quite happy to see that you wrote a follow up! I didn’t know about the directory with the executable. In the \Users\****\AppData\Local\Temp\ directory there was a file named tmpTujP.dat, which is a very similar name to one of the two files in the hellomoto directory. I deleted all those files and everything seems to be back to normal again.

    I really should surf more carefully!🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: