A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22186  by maddy
 Tue Feb 11, 2014 3:43 am
Hey,

look this fake Microsoft Security Essentials,
Dropped in %AppData%

Protector-ogxv.exe
Protector-htre.exe
Protector-ouuh.exe
Protector-cwnr.exe

guard-nrbt.exe
guard-htnd.exe
guard-ilud.exe
guard-fmrt.exe

proto-ortd.exe
proto-bles.exe
proto-godd.exe
proto-plop.exe

safe-dnfg.exe
safe-werj.exe

protectkonm.exe
protectbdlt.exe
protectbqpo.exe

svc-hmds.exe
svc-mdqs.exe
 #22372  by bitstechs
 Fri Mar 07, 2014 1:46 am
Anyone else have the latest variants of this virus? I'm trying to hunt for them but it's rough. Malwarebyte's forums has tons, but I've yet to get invited into their malware hunter group.
 #22451  by Ormu
 Thu Mar 13, 2014 6:41 pm
Cody Johnston wrote:
dairu87 wrote:It also dumps around 10-12 randomly named .exe's into the syswow64 directory.
Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)
Ok, this is probably a different one but I remember some fake-AVs that create dozens or hunderds of small (empty?) .exe files in the system directories to be used as their "targets". They were named like those identification names used by real AVs, such as "W32.Trojan873426.exe" so when the victim sees them he thinks they are real. I think "SoftSoldier" was one of the fake AV programs that did this.
 #22523  by thisisu
 Sat Mar 22, 2014 8:03 pm
Credits to BornSlippy for posting these on MBAM forums. Just wanted to share with others that want to experiment as well. ;)

Password is infected
Attachments
Windows Defence Master
(1.01 MiB) Downloaded 94 times
Windows Pro Defence Kit
(1.15 MiB) Downloaded 87 times
Windows Antivirus Patrol
(1.18 MiB) Downloaded 94 times