[Xylitol]

XP Security 2011

XP Total Security 2011 / XP Internet Security 2011 / XP Home Security 2011 / XP Anti-Virus 2011 / XP Anti-Spyware 2011 etc...
'chameleon rogue' from the Braviax family








Unlock code: 1147-175591-6550
i've wasted alot of time today under my debugger for this one ¬.¬

VT (3/43): https://www.virustotal.com/file-scan/re ... 1298037947

Code: Select all

.486

.model flat,stdcall
option casemap:none

include windows.inc

uselib  MACRO   libname
    include     libname.inc
    includelib  libname.lib
ENDM

uselib  user32
uselib  kernel32

rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD

.data
Titre           db "Braviax multi-rogue generic patch", 0
PasTrouver  db "Thread not found",0
Trouver     db "Patched successfully",13,10,"Enter anything in the serial field for activate",0

szFileName1  db "XP Internet Security 2011 - Unregistred Version",0
szFileName2  db "XP Total Security 2011 - Unregistred Version",0
szFileName3  db "XP Home Security 2011 - Unregistred Version",0
szFileName4  db "XP Home Security - Unregistred Version",0
szFileName5  db "XP Anti-Virus 2011 - Unregistred Version",0
szFileName6  db "XP Anti-Spyware 2011 - Unregistred Version",0

AddressToPatch1 dd 0675356h ;0x0675356 (0x10, 16 digits check)
ReplaceBy1 db 090h,090h ;75 47 JNE SHORT 00675391 -> To NOP's
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 0675389h ;0x0675389 (badboy jump)
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 F0010000   JNE 0067557F
ReplaceSize2 dd 6 ;6 bytes changed

.data?
PID         dd ?

.code
  start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
            invoke FindWindow, NULL, offset szFileName1
            cmp eax,0
            jnz @patch
            invoke FindWindow, NULL, offset szFileName2
            cmp eax,0
            jnz @patch  
            invoke FindWindow, NULL, offset szFileName3
            cmp eax,0
            jnz @patch
            invoke FindWindow, NULL, offset szFileName4
            cmp eax,0
            jnz @patch    
            invoke FindWindow, NULL, offset szFileName5
            cmp eax,0
            jnz @patch
            invoke FindWindow, NULL, offset szFileName6
            cmp eax,0
            jnz @patch                
                invoke Beep,100,30 ;lol :þ
                invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
                invoke ExitProcess,0
                @patch: call patch
                        invoke ExitProcess,0
rogue endp

patch proc
    mov ebx, eax
    Invoke GetWindowThreadProcessId, ebx, offset PID
    Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
    mov ebx, eax
    Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
    Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
    Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
    Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
    Invoke CloseHandle, ebx
    invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
patch EndP

  end start 

[ngyikp]

Mega Antivirus 2012
http://www.virustotal.com/file-scan/rep ... 1298378990 (31/43 yikes :D )

Scanner page:
hxxp:// securityscan.square7.ch/scan/53aefec08170b2ebed981a0a86d0dbe0/



Executable:
hxxp:// securityscan.square7.ch/scan/53aefec08170b2ebed981a0a86d0dbe0/install.exe

Main screen:


Activation screen:


Payment page: (fake IE8 even though IE6 installed)
hxxp:// h1.ripway.com/allkindsgoodies/buy/


Blocks taskmgr.exe and rundll32.exe using Image File Execution Options:


Installs itself at C:\WINDOWS\addons


Attempts to reinstall itself if deleted via addon.exe but fails miserably :)

[Alex]

Lavasoft Malware Lab's Rogue Gallery - http://www.lavasoft.com/mylavasoft/rogues/latest

[egomoo]

Is there anyone has the latest fake av "Antimalware Go"sample?

thanks very much

[EP_X0FF]

Is there anyone has the latest fake av "Antimalware Go"sample?

thanks very much

Hi,

According to available info this is clone of AntiVira AV which was clone of Antivirus .NET




Sample of Antivirus .NET located here
http://www.kernelmode.info/forum/viewto ... 4834#p4834

Regards.

[markusg]

System Tool

no vt result

[EP_X0FF]

no vt result

FakeAV "System Tool"

Posts merged with Rogue antimalware thread.

[4everyone]

Is there anyone has the latest fake av "Antimalware Go"sample?

thanks very much

Antimalware Go Sample Attached :)

[egomoo]

Is there anyone know why antimalware go virus go dead while I reboot my computer which means antimalware go virus does not add itsself to startup locations in Registery

[EP_X0FF]

Is there anyone know why antimalware go virus go dead while I reboot my computer which means antimalware go virus does not add itsself to startup locations in Registery

Because they all buggy like hell.