A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1705  by EP_X0FF
 Fri Jul 30, 2010 3:57 pm
This malware starts additional thread, this thread performing delayed scanning of all running processes.
It makes first snapshot - this is white list, so before running sample start all what you need to investigate it behavior.
Then after few seconds it is doing next snapshot - if any new processes were found malware trying to terminate them.
For creating snapshots malware uses WMI.
 #1707  by Jaxryley
 Sat Jul 31, 2010 12:44 am
Thanks for the info and checking it out EP_X0FF. :)

Yes you can open Task Manager before installing the rogue and it will stay open or renaming any exe to firefox or opera should allow it run with this rogue active.
 #1712  by Quads
 Sat Jul 31, 2010 8:12 am
Jaxryley wrote:Thanks for the info and checking it out EP_X0FF. :)

Yes you can open Task Manager before installing the rogue and it will stay open or renaming any exe to firefox or opera should allow it run with this rogue active.
Had a PC with this rogue on approx 2 weeks ago PC was Windows 7.

I renamed the Hijackthis executable "iexplore.exe" ran Hijackthis, killed the processes and the 04 run entries worked.

Then mopped up the rest after with MBAM. as it can now run.

Quads
 #1724  by Jaxryley
 Sat Jul 31, 2010 1:56 pm
Hi Quads, you can rename mbam.exe within Malwarebyte's Programs Folder to iexplore.exe/firefox.exe/opera.exe and it should run with Antivir Solution Pro active.

Another exe killer is Security Tool and it can still kill exes even when "Windows Management Instrumentation" service is set to stopped/disabled before installing.

Renaming to opera.exe doesn't work but iexplore and firefox still work.

I think the same mob make both rogues?
Pass:
infected

(998.05 KiB) Downloaded 101 times
 #1735  by Quads
 Sat Jul 31, 2010 11:14 pm
Jaxryley wrote:Hi Quads, you can rename mbam.exe within Malwarebyte's Programs Folder to iexplore.exe/firefox.exe/opera.exe and it should run with Antivir Solution Pro active.

Another exe killer is Security Tool and it can still kill exes even when "Windows Management Instrumentation" service is set to stopped/disabled before installing.

Renaming to opera.exe doesn't work but iexplore and firefox still work.

I think the same mob make both rogues?
Security Tool.rar
I know but it takes too long if I have a PC to repair (Not mine) that doesn't have the likes of MBAM installed, so I use my pre named copy of Hijackthis, run that to disable the rogue, and anything else found in the list bad to remove, BANG BANG.

Then I can install programs without being blocked or impeded in any way, so no double renaming required, once to just get a program installed,

Can't be bothered with longer ways.

Quads
 #2657  by CloneRanger
 Mon Sep 06, 2010 2:12 pm
Windows AV scanner

I found various www's all hijacked with redirects to - hxxp://gnevonotole.servequake.com/main.php

Scanner results : Scanners did not find malware! - http://virscan.org/report/ef7fdc3c835c7 ... d963f.html

The scroll bar actually worked with this rogue !

Image

Funny i don't even have Windows Defender installed :P

Image

Zip PW = infected
Attachments
(874.04 KiB) Downloaded 121 times
Last edited by EP_X0FF on Sat Apr 16, 2011 6:22 am, edited 1 time in total. Reason: Screenshots has been resized to be more accurate
 #2663  by CloneRanger
 Tue Sep 07, 2010 12:06 am
Whoever moved it here, thanks ;) Edit i see EP_X0FF did ;)

@ tomatto007

Yes it's probably from the same stable, but a new variant.

@ DragonMaster Jay

Hi, i think the discrepancies between detects "might" be due to time differences ? When i scanned again later i got detects.

Also there "may" be different scan engine versions etc being used by VT & VO ?

Anyway i enabled Shadow Defender and ran it. Apart from one autostart entry i couldn't see anything else of note, and absolutely nothing running at all ? GMER found rootkit behaviour, but this could be due to SD ? I wasn't able to restart and see what might happen as SD was set to delete on shutdown. RkU v.508 failed to launch ? after which scvhost.exe went to 50%

HMPro detected the install file on my desktop, but Nothing else ! I didn't expect Avira to detect etc as it's not in their Defs yet. Not a peep from Prevx ?

Wierd, what is this rogue "supposed" to do, as it is on my comp anyway, it doesn't appear to do anything nasty ?
 #2667  by EP_X0FF
 Tue Sep 07, 2010 8:16 am
PC Defender v2

Fake antivirus, displaying detection windows with pr0n pictures (they all in html section in resources ;))
Contains special part for killing tools like Process Explorer, x64 compatible.

Seems to be new release from Misha script-kiddie author of previous PC Defender (see 1 post of this thread). GUI redesigned truly.

Also it displays Fake Blue Screen of Death, LOL

dropper installation
http://www.virustotal.com/file-scan/rep ... 1283847235

fake av itself
http://www.virustotal.com/file-scan/rep ... 1283847261

Runs itself from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit key.

While installation sets special service to force reboot Windows after few seconds.

Pics! :)

Image

Image

Image

"BSOD" source code
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script type="text/javascript" src="init.js"></script>
</head>

<body style="margin:0px; background-color:#000084; color:#FFFFFF; cursor:url('BSOD.cur'); font-family:Lucida Console; font-weight:100; font-size:26;">
<span id="mainSpan">
A problem has been detected and Windows has been shut down to prevent damage to your computer.
<p></p>
The problem seems to be in your antivirus software.
<p></p>
ERROR_UNREGISTERED_VIRUS_PROTECTION_SOFTWARE
<p></p>
If this is the first time you've seen this Stop error screen AND you already registered your "PC Defender" software, restart your computer.
<p></p>
If problem continues, register your "PC Defender" software or contact service center.
<p></p>
Technical information:
<p></p>
*** STOP: 0x00C30FF5 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
<p></p>
*** SECUR32.DLL - Address 0xFBFE7617 base at 0xFBFE7617, Datestamp 4e4cca30
</span>
<script type="text/javascript" language="javascript">
var w = screen.width;
document.getElementById('mainSpan').style.width = w+'px';
</script>
</body>

</html>
Attachments
pass: malware
(787.87 KiB) Downloaded 123 times
Last edited by EP_X0FF on Sat Apr 16, 2011 6:24 am, edited 1 time in total. Reason: Screenshots has been resized to be more accurate
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8