The malware, which Avira identifies as TR/Ransom.CardPay.A, uses an interesting variation on the scareware tactic commonly employed by rogue anti-virus vendors to shock people into paying for fake anti-virus tools. This software searches for torrent files on the victim's computer.
A torrent file is a small file used to point a BitTorrent client to a Tracker server which then directs it to other clients hosting pieces of large files. Torrent networks are commonly used to distribute large files such as long videos, software packages, and disk images, many of which could represent copyrighted content. Even if no torrent files are found on the victim's machine, it still displays a warning, purporting to be from the ICPP Foundation, a fake law firm supposedly assisting intellectual property rights holders to enforce their copyright.
The message invites victims to pay an out-of-court settlement to avoid a lawsuit, taking them to a web page (now down), which asked them to enter their credit card details. "The site is forged and it clearly serves only to collect credit card data, which is meant to be profitably sold to the criminal underground," Avira said.
The introductory text used on the now-defunct fake site was stolen from the website of a real legal firm called ACS:Law. According to an analysis by F-Secure, the domain for the site was registered to an email address seen before in various other domains connected to the Zeus and Koobface botnets. F-Secure detected two pieces of malware using this extortion technique and linking to the website. At the time of writing, virus total suggested that only 75% of anti-malware tools caught those malware strains, indicating that even though the web page was only up for a few days, it is likely to have been highly effective.