First of all, there is no such thing as 100% protection against malware, viruses and Trojans. However, you can take precautions to ensure that you are not completely unprotected online. A current version of a virus scanner should be standard on every PC. What is particularly important is that regular updates are carried out in order to be able to detect the latest pests. Since we keep reporting on a particularly tricky variant of a Trojan, this report is intended to help less experienced users understand how this malware works and give rough instructions on how to get rid of the unwanted pest.

image

As with all problems, the most important thing is: DON'T PANIC - everything will (mostly) be fine!

On the road for several years, a malicious Trojan family still manages to terrify good-natured PC users. We're talking about the BKA/GEMA/Ukash/Paysafecard Trojan, in all its countless different ways Variants , which we would like to cover here as representative of various Trojans.

Please note that viruses and Trojans come in all different shapes and colors, so we do not have the opportunity to report in detail on every single pest. This is only intended to be a rough guide using the example of the “BKA Trojan”, which also appears in countless variations. – If the worst comes to the worst, please do a quick Google search.

WHAT DOES THE BKA TROJAN DO TO MY PC?

The good news: actually nothing except blocking access. And completely. Other variants encrypt your own data such as photos, music and documents. A fake report from the police, or in other variants from GEMA or similar, is displayed that illegal content such as banned images, videos or music has been downloaded and the computer has therefore been blocked.

The request appears to “throw in” a little money. Using a pre-paid card, such as UKASH or Paysafecard, which you should buy somewhere as quickly as possible. Please DO NOT respond to this.

NOTE: Malicious programs (here the Trojan) thrive on the user's uncertainty - so always react to them calmly and prudently!

HOW DID THIS TROJAN GET ON MY PC?

This question is easily answered: it doesn't always contain what it says on the tin. Those who send Trojans use the old war motif of camouflage and deception to get onto as many PCs as possible. A harmless music video, a fun game? All of this is used to ruin the lucky PC owner. Whether via email or so-called drive-by download , every security hole is used to distribute malware.

A user surfs an infected website. In the background, the user's PC is now checked for installed programs with known security gaps.

If the script finds such a security gap, malware is loaded onto the computer via this gap, which becomes active either immediately or the next time the computer is started. Everything happens without any action from the user.

Instead of a website, it could also be an infected advertising banner.

NOTE: Every file and every link should be checked (automatically) in real time by a current antivirus program!

Emails from unknown origins should be viewed with a lot of skepticism.

Have you received an invoice without ordering anything, or have friends sent you cryptic or confusing emails with file attachments? Caution is advised here and the affected email should be deleted BEFORE reading it.

HOW DO I REACT CORRECTLY?

In order to get rid of the variants of the BKA/GEMA/Ukash Trojan, there are several options that can repair the “damage” depending on the variant and version of the Trojan. Below we would like to introduce 3 of the most common variants.

1. The rescue CD

A rescue CD loads its own, independent operating system (usually based on Linux). This means you don't have to start Windows, which is blocked by the Trojan.

After starting, the computer is usually automatically completely checked and if a virus/Trojan is found, it is deleted. After completing this test run, you can work on the PC in the usual way after a restart.

A rescue tool was developed specifically for the BKA Trojan, which removes the most common variants.

image http://blog.botfrei.de/2012/12/hitmanpro-kickstart-kampf-der-ransomware/

Kaspersky provides a rescue CD specifically designed to combat variants of the BMI/BKA/GEMA/Ukash Trojan free of charge at this link:

image http://support.kaspersky.com/de/viruses/solutions?qid=208641247

A rescue CD is offered by many different antivirus companies and not only helps with the BKA Trojan.

Here is a small selection:

image Kaspersky: http://support.kaspersky.com/de/4162
image  Avira: http://www.avira.com/de/download/product/avira-rescue-system
image  AVG: http://www.avg.com/ de-de/avg-rescue-cd

The ComputerBILD emergency CD also occupies a special position. Various tools have been summarized here that are relatively easy to use for inexperienced computer users. You can also find detailed instructions on many common problems on the ComputerBILD website.

image http://www.computerbild.de/artikel/cb-Ratgeber-Software-Erste-Hilfe-Die-COMPUTER-BILD-Notfall-CD-3211486.html

2. System Restore with Windows CD

Another option is to restore the system using the Windows board tools. This option works for at least some of the Trojan horse variations.

This requires an installation CD of the Windows version used, from which we boot the computer; in newer systems this is usually provided by a hidden emergency partition.

The procedure is as follows: The system is booted from the CD or an emergency partition. Since you can inadvertently cause a lot of damage to your system, caution is advised. Please be sure to read carefully and if you are unsure, compare the procedure and entries with the description again. Instructions for the currently most common Microsoft operating systems are linked below.

image For Windows XP/Vista please read more here (Microsoft Support Center)

image For Windows 7 please continue reading here (botfrei.de blog)

In many complete systems, as well as in newer laptops or netbooks, there is a hidden system partition that takes on the role of the installation CD. A special key must be pressed at the right moment while the computer is starting up. Since there is no uniform standard, many manufacturers use different key combinations. It helps to pay close attention to the computer's startup process, as a corresponding message is often displayed. – It also helps to take a look at the PC’s documentation – or do a quick search on Google.

3. To be on the safe side: Reinstall the operating system (experienced PC users only, please)

Although the BKA Trojan did not cause any significant damage in its earlier versions and was relatively easy to remove, it is always recommended, especially with other viruses and Trojans, to completely reinstall the system.

This step removes any remaining malware on the PC - but should only be carried out by moderately experienced PC users.

The most important thing here is a backup of all private data. –

  • Own files
  • Documents
  • photos
  • videos
  • Music
  • letters
  • Emails
  • as well as a list of all programs and passwords used should be secured or kept ready.

The manufacturer's driver CD is also important. This is either included, is located on a hidden system partition or can be downloaded free of charge from the manufacturer's website.

If you dare to set up your system again, you can here in simple instructions from ComputerBILD .

A personal recommendation from me is to switch to the free operating system Linux. – Don’t worry, Linux has long been very easy to use. Although you have to say goodbye to your usual Windows programs, you still have an almost endless selection of programs in the vast Linux collection that perform the same functions and just look different. And all for free!

For those interested, here is a review of Linux Mint 15 (one of the many different Linux distributions available) - The video is in English - but there are numerous other videos in German

HOW DO I PROTECT MYSELF IN ADVANCE

Always keep your system up to date. Current updates to close security gaps are just as important as an up-to-date virus scanner and browser.

Chrome updates itself automatically; for Firefox and other browsers you should check the help menu from time to time to see whether there is a more current version.

Chrome and Firefox users can find out more about the “plugins” Java, Flash and Quicktime on a Mozilla website:
image https://www.mozilla.org/de/plugincheck/ .

All plugins that are shown yellow or red button urgently need to be updated. This is done by clicking on the respective button.

Get updates automatically setting should also always be activated Adobe Reader

a quick online security check to see whether there is outdated, security-relevant software on your computer here:
image  http://secunia.com/vulnerability_scanning/online/?task=load&lang=de

In addition to having up-to-date software, it can be helpful not to surf with scripts (JavaScript) activated. If you come to unknown websites, scripts must first be released. The origin pages of the scripts can be identified. For example, if I want to release the scripts on Stern.de, I will not release the domain boesemalware.ru.cc, even if it has been smuggled onto the website.

The browser extensions required for this can be found here:

Chrome – ScriptNo

image https://chrome.google.com/webstore/detail/oiigbmnaadbkfbmpbfijlflahbdbdgdf

Firefox - NoScript

image https://addons.mozilla.org/de/firefox/addon/noscript/

Other rules:

  • If possible, surf only with a restricted user account. Not as an administrator.
  • Current AV software
  • Use firewall . If possible, as hardware/router. Enable Windows Firewall.

We now have to advise deactivating Java in the browser or uninstalling it completely.
Unfortunately, security holes in Java have repeatedly appeared recently and will not be closed for a long time. If you need Java for a specific website (e.g. Eventim, DHL Online-Porto, etc.), only activate it for the duration of use on this one site and do not surf on other sites during this time.

If you are still using a current version of brain.exe ( http://brain.yubb.de/ ), the risk should be limited. However, the following still applies:

Think first – then click

Cooperation contribution from Hans-Christian Singhuber from aSYS , ​​as well as from Markus, Rüdiger and Sebastian from ZDDK .

Sign up for the Mimikama newsletter

Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )