A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5094  by Xylitol
 Fri Feb 18, 2011 6:57 pm
XP Security 2011

XP Total Security 2011 / XP Internet Security 2011 / XP Home Security 2011 / XP Anti-Virus 2011 / XP Anti-Spyware 2011 etc...
'chameleon rogue' from the Braviax family

Image
Image
Image
Image
Image
Image

Unlock code: 1147-175591-6550
i've wasted alot of time today under my debugger for this one ¬.¬

VT (3/43): https://www.virustotal.com/file-scan/re ... 1298037947
Code: Select all
.486

.model flat,stdcall
option casemap:none

include windows.inc

uselib  MACRO   libname
    include     libname.inc
    includelib  libname.lib
ENDM

uselib  user32
uselib  kernel32

rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD

.data
Titre           db "Braviax multi-rogue generic patch", 0
PasTrouver  db "Thread not found",0
Trouver     db "Patched successfully",13,10,"Enter anything in the serial field for activate",0

szFileName1  db "XP Internet Security 2011 - Unregistred Version",0
szFileName2  db "XP Total Security 2011 - Unregistred Version",0
szFileName3  db "XP Home Security 2011 - Unregistred Version",0
szFileName4  db "XP Home Security - Unregistred Version",0
szFileName5  db "XP Anti-Virus 2011 - Unregistred Version",0
szFileName6  db "XP Anti-Spyware 2011 - Unregistred Version",0

AddressToPatch1 dd 0675356h ;0x0675356 (0x10, 16 digits check)
ReplaceBy1 db 090h,090h ;75 47 JNE SHORT 00675391 -> To NOP's
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 0675389h ;0x0675389 (badboy jump)
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 F0010000   JNE 0067557F
ReplaceSize2 dd 6 ;6 bytes changed

.data?
PID         dd ?

.code
  start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
            invoke FindWindow, NULL, offset szFileName1
            cmp eax,0
            jnz @patch
            invoke FindWindow, NULL, offset szFileName2
            cmp eax,0
            jnz @patch  
            invoke FindWindow, NULL, offset szFileName3
            cmp eax,0
            jnz @patch
            invoke FindWindow, NULL, offset szFileName4
            cmp eax,0
            jnz @patch    
            invoke FindWindow, NULL, offset szFileName5
            cmp eax,0
            jnz @patch
            invoke FindWindow, NULL, offset szFileName6
            cmp eax,0
            jnz @patch                
                invoke Beep,100,30 ;lol :þ
                invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
                invoke ExitProcess,0
                @patch: call patch
                        invoke ExitProcess,0
rogue endp

patch proc
    mov ebx, eax
    Invoke GetWindowThreadProcessId, ebx, offset PID
    Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
    mov ebx, eax
    Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
    Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
    Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
    Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
    Invoke CloseHandle, ebx
    invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
patch EndP

  end start 
Attachments
See archive comment for password
(254.59 KiB) Downloaded 102 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:16 am, edited 1 time in total. Reason: Title edited
 #5135  by ngyikp
 Tue Feb 22, 2011 12:59 pm
Mega Antivirus 2012
http://www.virustotal.com/file-scan/rep ... 1298378990 (31/43 yikes :D )

Scanner page:
hxxp:// securityscan.square7.ch/scan/53aefec08170b2ebed981a0a86d0dbe0/
Image
Image

Executable:
hxxp:// securityscan.square7.ch/scan/53aefec08170b2ebed981a0a86d0dbe0/install.exe

Main screen:
Image

Activation screen:
Image

Payment page: (fake IE8 even though IE6 installed)
hxxp:// h1.ripway.com/allkindsgoodies/buy/
Image

Blocks taskmgr.exe and rundll32.exe using Image File Execution Options:
Image

Installs itself at C:\WINDOWS\addons
Image

Attempts to reinstall itself if deleted via addon.exe but fails miserably :)
Image
Image
Attachments
password: infected
(923.29 KiB) Downloaded 99 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:39 am, edited 1 time in total. Reason: Screenshots resized to be more accurate
 #5177  by egomoo
 Sat Feb 26, 2011 12:47 pm
Is there anyone has the latest fake av "Antimalware Go"sample?

thanks very much
 #5178  by EP_X0FF
 Sat Feb 26, 2011 3:30 pm
egomoo wrote:Is there anyone has the latest fake av "Antimalware Go"sample?

thanks very much
Hi,

According to available info this is clone of AntiVira AV which was clone of Antivirus .NET

Image
Image

Sample of Antivirus .NET located here
http://www.kernelmode.info/forum/viewto ... 4834#p4834

Regards.
 #5204  by markusg
 Mon Feb 28, 2011 1:52 pm
System Tool

no vt result
Attachments
(299.15 KiB) Downloaded 90 times
Last edited by EP_X0FF on Sat Apr 16, 2011 8:13 am, edited 1 time in total. Reason: Title edited
 #5206  by EP_X0FF
 Mon Feb 28, 2011 2:35 pm
markusg wrote:no vt result
FakeAV "System Tool"

Posts merged with Rogue antimalware thread.
 #5268  by 4everyone
 Wed Mar 02, 2011 3:23 pm
egomoo wrote:Is there anyone has the latest fake av "Antimalware Go"sample?

thanks very much
Antimalware Go Sample Attached :)

Image
Attachments
pass: infected
(314.03 KiB) Downloaded 51 times
 #5273  by egomoo
 Thu Mar 03, 2011 2:10 am
Is there anyone know why antimalware go virus go dead while I reboot my computer which means antimalware go virus does not add itsself to startup locations in Registery
Attachments
(313.74 KiB) Downloaded 61 times
 #5278  by EP_X0FF
 Thu Mar 03, 2011 5:37 am
egomoo wrote:Is there anyone know why antimalware go virus go dead while I reboot my computer which means antimalware go virus does not add itsself to startup locations in Registery
Because they all buggy like hell.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 34