This one attempts to steal victims' money by bullying them to pay a "pre-trial settlement" to cover a "Copyright holder fine".
The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents from the system. If he won't pay $400 (via a credit card transaction), he might face jail time and huge fines.
And the warnings will not go away. They will reappear every time the user reboots his system.
All of this is completely fake. There is no "ICPP Foundation", and the messages will appear even if the system contains no illegal material whatsoever.
Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.
The group behind this have even set up an official-looking website at icpp-online.com.
The domain is registered to Mr. "Shoen Overns". The same e-mail address ovenersbox@yahoo.com has been seen before in various other domains, connected to Zeus and Koobface scams.
If you click on the Reports shown by the application, you'll end up on pages such as these:
We tried calling the (Italian) phone number listed on the page: +39 (06) 9028 0658. Unsurprisingly, it goes nowhere.
These pages are hosted at 91.209.238.2, which according to WHOIS belongs to EBUNKER-NET, a "High protected Somalia network". It's running in Moldova.
This is what the payment page looks like:
There is no obvious credit-card payment system connected to the site; they just seem to collect the credit card information.
If you are hit by this trojan, DO NOT PAY. Instead, use an antivirus program that is capable of detecting it to remove the trojan. F-Secure Antivirus detects it as Rogue:W32/DotTorrent.A. You can use our free Online Scanner at ols.f-secure.com to check your system.
The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We've seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.
