The Latest in IT Security

Ransomware Posing as FBI


Scammers and Spammers are always looking to cash in on recent
news whether it be twerking or a royal baby.  I know it may seem like we are inundating you with ransomware threats this week.  The international climate has shifted towards privacy concerns due to PRISM leaks and malware writers have taken note.  This week we discussed how Fake NSA alerts tried to shake down users for a $300 to avoid prosecution.  This week a fake FBI posting purports to be after pornographic material that is displayed within the popup message (blacked out).

Don’t Panic.

This isn’t the only intimidation tactic employed by the Trojan.  It also disables access to Task Manager and other Windows tools to limit the user’s ability to close the disturbing page which is actually hosted on the victim’s PC found at the following location:

   C:\Documents and Settings\user\Local Settings\Application Data\(8 Character string)\index.html

It disables the user’s ability escape the message by hooking the process to Winlogon via the userint.exe process and creating an Autostarter value.

Userinit.exe Augmented

Autostarter Value Set

The final aspect of this threat is that it is constantly posting content from the victim’s PC to contribute to a botnet.

This POST is seen every 5 seconds.

I suspect that this trend of giving fake Government alerts to propagate malicious content is only going to trend upwards.  Some download locations for this threat can be seen here:

  • hxxp://
  • hxxp://
  • hxxp://

The phone home activity for this threat is based Germany, not the US.


Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments