A forum for reverse engineering, OS internals and malware analysis 

Rogue Antimalware (FakeAV, 2010 year)

Forum for analysis and discussion about malware.
 Topic locked

Re: Rogue.Digital Protection (+Added TDSS)

 #676  by EP_X0FF
 Tue Apr 13, 2010 4:15 am
Hi Ade,

thanks for the sample.

It is downloading Digital Protection executable from 91.212.127.19.

Seems to be previously this crap was named "Malware Defense". Looks like parody on NOD32 lol.

It contains dll that performs hooking (splicing method) of CreateProcessW function in explorer.exe
Replaces standard Windows Security Center with it's own fake.

Image
Image

Keeps connection with ns.km30339.keymachine.de

Digital protection folder :)
Size 7.35 Mb, with some mp3 files.
pass: malware

http://www.megaupload.com/?d=DX9BBM00

Antivirus Suite

 #683  by NOP
 Tue Apr 13, 2010 1:45 pm
Antivirus Suite

Drops to App Data\[7randomchars]\[same7randomchars].exe

Image

Packed with a custom packer and UPX.
Attachments
Pass: infected
(550.9 KiB) Downloaded 200 times
Last edited by EP_X0FF on Sat Apr 16, 2011 3:32 am, edited 3 times in total. Reason: Screenshot has been resized to be more accurate

Antivirus Plus

 #702  by EP_X0FF
 Wed Apr 14, 2010 6:22 am
Antivirus Plus

VirScan (downloader)
http://virscan.org/report/5d186b14ac8f1 ... 5eefb.html

VirScan (payload dll)
http://virscan.org/report/1a37c7e17e0b2 ... edd3e.html

GUI
Image

RegisterMe dialog
Image

Start itself through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as rundll32.exe c:\documents and settings\<user name>\application data\antivirus plus\antivirus plus.1.dll

FakeAV downloader and its payload AntivirusPlus dll in attach, enjoy :)
Attachments
pass: malware
(2.48 MiB) Downloaded 197 times

XP Security Tool

 #747  by EP_X0FF
 Fri Apr 16, 2010 5:21 am
XP Security Tool
(reincarnation of Xp Defender)

VirScan
http://virscan.org/report/4d392b2743665 ... 445c7.html

Jotti
http://virusscan.jotti.org/en/scanresul ... 7572a2a26d

Behavior the same :)

Image

Removal: terminate fakeav process, locate and eradicate executable, usually stored inside X:\Documents and settings\<user name>\Local Settings\Application Data as executable file with hidden file flag set.
Attachments
pass: malware
(157.71 KiB) Downloaded 155 times

Re: Rogue antimalware (FakeAV, FakeAlert)

 #750  by NOP
 Fri Apr 16, 2010 3:37 pm
Had that yesterday, but was called XP Smart Security, reinfected and got the name above. Name seems to vary, a friend of mine's girlfriend got infected with it but it was called Vista Security Tool.

See what I mean here. The same loader(a PPI one) executed 3 times in as many minutes gave me 3 different window titles.

http://i40.tinypic.com/2ed2vdu.png
http://i40.tinypic.com/2cibvaq.png
http://i44.tinypic.com/k1s4zb.png

Re: Rogue antimalware (FakeAV, FakeAlert)

 #893  by EP_X0FF
 Mon Apr 26, 2010 3:08 pm
I believe this is the same hxxp://globalinformationsecurity.com/buy.html

Image

As well as:

PC Care Live
Your Security
Your Security Plus
Live PC Antispyware
Global Information Security

Antivirus 7

 #972  by EP_X0FF
 Sun May 02, 2010 4:53 am
Antivirus 7

Image

Fake AV with built-in robot powered chat :) Written in CodeGear RAD Studio.

Has aggressive behavior - terminates all starting applications as "infected" (timer with windows scan).

VirusTotal
http://www.virustotal.com/ru/analisis/0 ... 1272774609
http://www.virustotal.com/ru/analisis/2 ... 1272775807

GUI
Image

Bot powered chat
Image

Detection
Image

Download and installs itself to X:\Program Files\AV7 (X - system disk letter)

Set itself to autorun via HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.

Removal - boot into safe mode and remove startup registry entry along with executable. Or use something with self-protection against termination. Fake av is trying to inject remote threads in starting applications.
Attachments
fake av itself, pass: malware
(1.2 MiB) Downloaded 224 times
dropper, pass: malware
(111.15 KiB) Downloaded 224 times

AKM Antivirus 2010

 #991  by EP_X0FF
 Wed May 05, 2010 11:43 am
AKM Antivirus 2010

VirusTotal dropper
http://www.virustotal.com/analisis/aa5b ... 1273059734

additional components
http://www.virustotal.com/analisis/22e0 ... 1273059803
http://www.virustotal.com/analisis/f9d2 ... 1273059813

Aggressive behavior - terminates starting applications as "infected".

Drops "svchost.exe" to C:\Program Files\, then starts main executable from C:\Program Files\AKM Antivirus 2010 Pro folder.
svchost.exe has guard abilities - it restarts fake av, if it was terminated and fool users because it is nearly impossible to find it in taskmanager.
Replaces security control center with it own HTML-based fake.

Set itself to autorun as service AdbUpd
Additionally set itself to start as handler of Executable files - HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
C:\Program Files\alggui.exe "%1" %*

So without cleaning registry this fake av is dangerous to remove.

GUI
Image

Detections
Image

"Support"
Image
Attachments
additional files, pass: malware
(205.28 KiB) Downloaded 118 times
pass: malware
(985.52 KiB) Downloaded 138 times

Security Central

 #1019  by NOP
 Fri May 07, 2010 11:22 am
Security Central

Image

Installs to %Program Files%\Security Central\Security Central.exe

Runs via HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run "Security Central" %Path%

Terminates any process that doesn't have a system name(svchost.exe, etc).

Removal: Copy taskmgr anywhere and rename to svchost.exe, kill Security Central.exe and delete the file from disk, open regedit and delete the registry key.
Attachments
Password: infected
(885.02 KiB) Downloaded 128 times
Last edited by EP_X0FF on Sat Apr 16, 2011 3:29 am, edited 2 times in total. Reason: Screenshot has been resized to be more accurate
 Topic locked
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8
 Return to “Malware”