Getting rid of the Buma Stemra ransomware malware

Categories Malware

Since a week or so a new Dutch version of some ransomware malware is active in the Netherlands. This malware claims to be from The Buma Stemra, but of course has nothing to do with the real Buma Stemra.  The malware successfully takes over the system by replacing the start of explorer.exe with itself, so as soon as the system starts the malware will be loaded instead of the normal Windows environment. The malware further disables editing the registry, accessing the task manager and getting access to the system in any way. When infected with the malware you can not access your own system anymore, the only thing the system will do is show the screen below.

Buma_Stemra_malware_1

Some news coverage of this malware can be found on WebWereld and a nice overview of how to get rid of this malware can be found on pcwebplus.nl. The approach on pcwebplus.nl includes starting your system from the Kaspersky boot CD, which is a good approach, but it needs you to be able to download this boot CD and be able to burn it. The approach described in this article is mostly based on the approach described on the pcwebplus.nl website, but it shows a way of cleaning your system without having to boot from a boot CD. This approach has been tested on Windows XP, the approach for Windows 7 can be found here. At the end of this page there is a video showing all the steps.

 

Step 1: Get access to an explorer window

To be able to break out of the malware’s grip we will need to get access to some kind of explorer window. One approach to do this is to get access to a print pop-up. This can be done by pressing Ctrl-P or by selecting some text and pressing the right mouse button, the pop-up will then show the option to print the selected text. In the print pop-up we can select the print to file option, [press print] which then opens an explorer window. The Ctrl-P option might take a while to load and pressing it a couple of times won’t hurt, but the selecting text option seems to work a bit better.

The following screenshots show the steps to take.

Step 2: Replace the malware

Now that we got the above shown window where we can browse files we got (crippled) access to our machine again. The next step is to replace the malware file, we will do this by copying explorer.exe and renaming it to our malware file. This way instead of the malware the system will run explorer.exe on the next boot. To replace the malware we will need to go through the following steps:

  1. Browse to C:\Windows\
  2. Type *.exe in the File name field
  3. Select explorer.exe
  4. Copy the file by pressing Ctrl-C (the right mouse button doesn’t work very well in this window)
  5. Browse to the “Application Data” directory of the current user
    (for Administrator user: C:\Documents and Settings\Administrator\Application Data\ )
  6. Paste the copied explorer.exe file by pressing Ctrl-V
  7. Rename the malware file, just adding an underscore behind is will be enough
  8. Rename the explorer.exe  file to the malware file name
  9. Reboot

Since we do not have access to the Shutdown controls you need to hold the power button of the system for 7 seconds to turn it off. Then turn the machine back on.

The following screenshots provide some more information to the above named steps.

 

 

Step 3: Enable RegEdit

After the reboot we get some slightly less crippled access to the system. However there are still quite some steps to be taken before we can start using Windows normally again. The next step is to enable us to access the Registry again. The malware blocks access to RegEdit and thus also does not allow us to run .reg files, to enable RegEdit again we need access to the Registry so it seems we are stuck here. However, it seems we can access the Registry from other programs or scripts. To enable RegEdit again we will create a small VBS script which changes the registry where RegEdit is blocked. The steps to do this are:

  • Create a new file with  Right mouse button New –> Text Document
  • Name the file fix.vbs
  • Edit the file and add the following data to it, make sure it is all on one line, it is only shown here on two lines because of the layout:
 WScript.CreateObject("WScript.Shell").RegWrite
 "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
  • Save and run the file by double clicking it.

The following screenshots provide some more information to the above named steps.

 

Step 4: Get full access to Windows

After running the VBS file we can access the Registry again with RegEdit. You can start RegEdit by browsing to the C:\Windows directory and double clicking regedit.exe

Using RegEdit, DELETE the following keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO
  • HKEY_USERS\Administrator\Software\Microsoft\Windows\Current Version\Policies\Explorer\NoDesktop
  • HKEY_USERS\Administrator\Software\Microsoft\Windows\Current Version\Policies\System\DisableTaskMgr
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\VX2bt1oYNKCLnkO

Then CHANGE the following keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Winlogon
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon

Change the value of “Userinit”  to “C:\Windows\System32\Userinit.exe,”

Change the value of “Shell” to “Explorer.exe”

 

With different versions of the malware the Registry locations might be different than displayed above. The best way to search for any remaining registry information set by the malware is to search for the malware name.

After all these changes reboot the system, this can be done by bringing up the Task Manager (which has now been enabled again) with Ctrl-Shift-Esc and then choose Shutdown and then Restart.

Step 5: Clean your system

After the reboot you got full access to the system again, however your Desktop will still be empty, to get the Desktop items back click the right mouse button on the desktop and select Arrange Icons By and then Show Desktop Icons.

The next thing to do is scan your whole system for any remaining malware. Microsoft Security Essentials for example recognizes this specific malware since March 2, 2012, so it should be able to remove the malware files. I would still recommend to do a full reinstall of the system after you recovered all your data, malware often does not come alone. Since the malware might have infected your system by a Drive-By Download it makes sense to make sure all your software is up to date (pay special attention to Windows Update, Adobe Flash, Adobe PDF Reader and Java). This might also be a good moment to start thinking about creating some backups 😉

 

Video of the whole process

 


 



 

Update May 2012

It seems that the malware is now targeting other countries as well besides the Netherlands, it now also fakes to be from the following parties:

  • SUISA (Switzerland)
  • GVU (Germany)
  • AKM (Austria)
  • PRS (United Kingdom)
  • SACEM (France)

More info can be found on abuse.ch: http://www.abuse.ch/?p=3718

Buma Stermra Virus verwijderen, malware, ransomware, ransom-ware, computer, PC, gelockt, gelocked, geblokkeerd, politie. BUMA-STEMRA (Netherlands) SUISA   (Swiztzerland) GVU (Germany) AKM (Austria) PRS  (United Kingdom)  SACEM (France) locked PC, remove malware, get rid off malware, malware removal,

62 Comments

  • Claire
    23/06/2012

    Same here! Can’t get to the print popup! I did notice that when my internet connection is off, you have full access to the computer. But when I scanned it with McAfee, there were no virusses! And I can’t follow your steps then, because there seems to be no malware file in application data.. Help me!

  • Shan
    29/06/2012

    Thanks for this guide Thice! Okay a few things. I got the UK version which is “PRS For Music” and “Metropolitan Police” logos but otherwise identical.

    1. If you do not have “Show hidden folders enabled” you will get stuck at step 5.

    2. This version of the malware/virus disables the keyboard so you cannot rename the virus file (step 6)

    3. The easiest way I accessed to defeat this was to download “Hirens Boot CD 15.1” which is a 500Mb freeware download and burn it to a CD and since it is a bootable CD – it runs at startup. It has a great Windows XP Mini mode. so looks like you are running XP. With that I was able to get to the Application Data folder to see the virus and rename it. But the brilliant thing was that this Boot CD comes with Malwarebytes Anti-Malware and SUPERANTISPYWARE pre-installed on it – so you can run those and clean the virus. Infact the boot CD even connects to the net and allows the latest definitions to be downloaded.

    I never ever used a recovery boot CD before, because in the past, most viruses/malware were disabled in SAFE MODE so once you are in SAFE MODE, it is easy to clean by running Malwarebytes Anti-Malware and SuperAntiSpyware. But because this virus also runs in SAFE MODE – its difficult to defeat. This boot CD saved me a lot of trouble. Try this method if you are really stuck – it worked for me!

    Also guys remember – this happened because of a vulnerability in JAVA so once you finish cleaning up your PC, please update your JAVA to the latest version.

  • soytjuh
    16/08/2012

    The latest version of this malware is not detected by kapersky rescue usb. Or avira.. or superantispyware.. or anti malwarebytes..

  • Roland
    22/08/2012

    I managed to get rid of the Dutch version by plugging of the internetcable, and start in safe mode (windows 7).
    After that i restarted and shut down manually before my pc could load windows (or the malware). After 3 or 4 times, windows 7 will proceed to run systemrepair automatically. You will be able to load a systemstatus before you encontered this malware.
    Worked for me! Of course i updated my antivirus and spyware programs after that, and started a thorough search. (avast free and spybot) Good luck.

  • maart
    28/08/2012

    …the described approach doesn’t work with my version of the virus… Ctrl-p won’t open a window and using the mouse produces only a short blink of any options which disappear at once…

  • Peter
    01/09/2012

    I looked for “Hirens boot cd 15.1” but my virus program gives me a warning that the sites where i can download it are not safe. I cant get rid of the dutch version because i cant find any malware files. I use windows xp

  • Peter
    01/09/2012

    oh and i canf start my comp in safe mode. And when i start my comp with unplugged internet cable the malware program isn’t there, after i plug the cable my comp is hijacked again and nothing works even the print option.@Peter

  • Peter
    03/09/2012

    I was able to install Norton 360 and it got rid of the ransom malware

  • Nico
    27/09/2012

    The described process worked for me, thanks!
    Although the named locations in the register were sometimes not exactly the same. But with search on malware name I was able to find them and delete them.
    Great !

  • Luke H
    24/03/2013

    i realise this is a bit late onward and it will have gone now but i fixed it just by going to a repair shop and that took about a month.

    Luke H

  • Getting rid of the Buma Stemra ransomware malware (virus) – Sysadmins of the North
    09/10/2013

    […] Getting rid of the Buma Stemra ransomware malware […]

  • Thice.nl » Post overview
    08/08/2014

    […] Getting rid of the Buma Stemra ransomware malware Getting rid of the Buma Stemra ransomware malware – Windows 7 Reverse Engineering Perl2Exe back […]

Leave a Reply

Your email address will not be published. Required fields are marked *