A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5488  by egomoo
 Wed Mar 16, 2011 2:29 am
Is there anyone has new rogue "Windows Diagnostic" or "System Diagnostic"

thanks very much if you could post the sample here

Image
 #5499  by Meriadoc
 Wed Mar 16, 2011 1:33 pm
E-Set Antivirus 2011

VT - http://www.virustotal.com/file-scan/rep ... 1300280043 0/40

Image
AVG icon/E-Set (play on eset?) seems familiar.

edit : could not get to run in a vm or sandbox and I'm not able to use a real machine atm. If someone could show some screen that would be much appreciated :)
Attachments
pass=malware
(99.36 KiB) Downloaded 100 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:42 am, edited 1 time in total. Reason: Title edited
 #5502  by ngyikp
 Wed Mar 16, 2011 3:05 pm
Meriadoc wrote:E-Set Antivirus 2011
Found a way to run this in a VM: create a file called "nvm.ch" at the folder of the dropper, %programfiles%\E-Set\, and %windir%\system32

Oh my... this FakeAV steals the AVG logo and interface, rips off ESET's name AND copies Norton and Panda (and probably BitDefender as well) to fill the web site

SCREENSHOTS:
Downloader:
Image

Main window:
Image

Security overview:
Image

Annoy screens:
Image
Image
Image
"... malicious backdoor Trojan that will cause complete chaos for both you and your computer."
Image
Image

Hijacks Internet Explorer, Firefox, Opera, Google Chrome and Safari via Image File Execution Options
Image

Internet Explorer Emergency Mode:
Image
Image

WARNING: Visiting this web site may cause deja vu!
_hxxp://secure.zsecuritymall.com/
Image
Last edited by EP_X0FF on Sat Apr 16, 2011 7:51 am, edited 1 time in total. Reason: Screenshots resized to be more accurate
 #5512  by Xylitol
 Wed Mar 16, 2011 9:48 pm
Meriadoc, sorry for the late response i've see your private message but i was busy :s
some additional informations

main:
Image

Anti-analyzes (and just a tiny part):
Image

badboy:
Image

First key "=" is a launch protection and "<" mean the rogue is registered, another key defind also if we active the "Internet Explorer Emergency Mode" or if we deactive it but i was bored to search in the junk for find the good one.
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\A88B44]
"fhgbcglanhmbignajg"="<"
"chacffld"="="
Serial to register: ABC12-DEF34-GHI56-JKL789
The original binary "setup.exe" make a copy of himself in \%systemroot%\System32 with the name "msiexecs.exe"
 #5555  by Xylitol
 Sat Mar 19, 2011 4:03 am
Attachments
Original file + hacked one (anti-vm removed)
See archive comment for password, as usual.

(1.26 MiB) Downloaded 105 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:41 am, edited 1 time in total. Reason: Title edited
 #5558  by PX5
 Sat Mar 19, 2011 10:56 am
This is an older loader I believe will install what you want, I will grab the other identical looking loader off my test machine later today.
Attachments
(21.13 KiB) Downloaded 36 times
(508.56 KiB) Downloaded 61 times
 #5579  by Striker
 Mon Mar 21, 2011 2:26 pm
System Defender
(Installer from the new fake scan pages)

Only a .dll file. The file is hidden and works only with rundll32.exe

Screenshots:

Image

Image
Attachments
dropped dll file (hidden)
(1.98 MiB) Downloaded 85 times
Installer for SD
(70.28 KiB) Downloaded 82 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:45 am, edited 1 time in total. Reason: Screenshots resized to be more accurate
 #5580  by Striker
 Mon Mar 21, 2011 2:31 pm
Quick System Cleaner

Installer incl. Patch.
Homepage: hxxps://pcbug-repair.com/download.htm

Screenshot:

Image
Attachments
Patch for QSC
(75.75 KiB) Downloaded 74 times
Installer
(1.34 MiB) Downloaded 76 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:53 am, edited 2 times in total. Reason: Screenshot resized to be more accurate
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 34