Rogue Antimalware (FakeAV, 2011 year) - Page 6

Topic locked

FakeSysdef

#5488 by egomoo
Wed Mar 16, 2011 2:29 am

Is there anyone has new rogue "Windows Diagnostic" or "System Diagnostic"

thanks very much if you could post the sample here

Username

egomoo

Posts

19

Joined

Fri May 07, 2010 5:02 am

Location

Shaoxing,China

E-Set Antivirus 2011

#5499 by Meriadoc
Wed Mar 16, 2011 1:33 pm

E-Set Antivirus 2011

VT - http://www.virustotal.com/file-scan/rep ... 1300280043 0/40

AVG icon/E-Set (play on eset?) seems familiar.

edit : could not get to run in a vm or sandbox and I'm not able to use a real machine atm. If someone could show some screen that would be much appreciated :)

Attachments

setup.rar

pass=malware
(99.36 KiB) Downloaded 100 times

Last edited by EP_X0FF on Sat Apr 16, 2011 7:42 am, edited 1 time in total. Reason: Title edited

Who controls the past controls the future
Who controls the present controls the past

Username

Meriadoc

Posts

195

Joined

Sat Mar 13, 2010 7:36 pm

Location

Cymru

E-Set Antivirus 2011

#5502 by ngyikp
Wed Mar 16, 2011 3:05 pm

Meriadoc wrote:E-Set Antivirus 2011

Found a way to run this in a VM: create a file called "nvm.ch" at the folder of the dropper, %programfiles%\E-Set\, and %windir%\system32

Oh my... this FakeAV steals the AVG logo and interface, rips off ESET's name AND copies Norton and Panda (and probably BitDefender as well) to fill the web site

SCREENSHOTS:
Downloader:

Main window:

Security overview:

Annoy screens:

"... malicious backdoor Trojan that will cause complete chaos for both you and your computer."

Hijacks Internet Explorer, Firefox, Opera, Google Chrome and Safari via Image File Execution Options

Internet Explorer Emergency Mode:

WARNING: Visiting this web site may cause deja vu!
_hxxp://secure.zsecuritymall.com/

Last edited by EP_X0FF on Sat Apr 16, 2011 7:51 am, edited 1 time in total. Reason: Screenshots resized to be more accurate

Wait a minute! This is important - we check your device

Username

ngyikp

Posts

18

Joined

Wed Feb 02, 2011 4:23 pm

Re: Rogue antimalware (FakeAV, FakeAlert)

#5512 by Xylitol
Wed Mar 16, 2011 9:48 pm

Meriadoc, sorry for the late response i've see your private message but i was busy :s
some additional informations

main:

Anti-analyzes (and just a tiny part):

badboy:

First key "=" is a launch protection and "<" mean the rogue is registered, another key defind also if we active the "Internet Explorer Emergency Mode" or if we deactive it but i was bored to search in the junk for find the good one.

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\A88B44]
"fhgbcglanhmbignajg"="<"
"chacffld"="="

Serial to register: ABC12-DEF34-GHI56-JKL789
The original binary "setup.exe" make a copy of himself in \%systemroot%\System32 with the name "msiexecs.exe"

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Malware Requests

#5550 by PX5
Fri Mar 18, 2011 6:53 pm

Windows Diagnostics will come out of this thread, last page, last post by markusg

http://www.kernelmode.info/forum/viewto ... 7&start=20

Re: Trojan.Advload

Postby markusg » Thu Mar 17, 2011 10:55 am

your_exe.rar
(26.83 KiB)

Arrogance led me to my Ignorance