A forum for reverse engineering, OS internals and malware analysis 

Rogue Antimalware (FakeAV, 2011 year)

Forum for analysis and discussion about malware.
 Topic locked

Antimalware Tool

 #5806  by Xylitol
 Sun Apr 03, 2011 9:16 pm
Antimalware Tool

Image

Image

Antimalware Tool and fake scanner page with deobfuscated version incl
https://www.virustotal.com/file-scan/re ... 1301865042
https://www.virustotal.com/file-scan/re ... 1301865350
Attachments
See archive comment for password
(2.46 MiB) Downloaded 112 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:57 am, edited 1 time in total. Reason: Title edited

MS Removal Tool

 #5816  by ngyikp
 Tue Apr 05, 2011 11:46 am
Triple Helix wrote:BestAntiVirus2011
MS Removal Tool, nothing too special
Image

Re: Rogue antimalware (FakeAV, FakeAlert)

 #5817  by peet
 Tue Apr 05, 2011 1:29 pm
BestAntivirus2011

I started this in a VM, XP pro SP3, it leaves a "residue" file and tries to launch an encrypted process. Unfortunately my skills are limited.
Code: Select all
00442B3F   0F3F             ???                                      ; Unknown command
00442B41   07               POP ES                                   ; Modification of segment register
00442B42   0BC7             OR EAX,EDI
00442B44   45               INC EBP
00442B45   FC               CLD
00442B46   FFFF             ???                                      ; Unknown command
00442B48   FFFF             ???                                      ; Unknown command
00442B4A   C745 FC FEFFFFFF MOV DWORD PTR SS:[EBP-4],-2
00442B51   EB 20            JMP SHORT BestAnti.00442B73
00442B53   B8 01000000      MOV EAX,1

Kanal detected 2 crypto processes
aPLib :: 000542C6 :: 004CE8C6
MD5 :: 000159B1 :: 004165B1

Antivirus Antispyware 2011

 #5822  by Meriadoc
 Tue Apr 05, 2011 8:47 pm
Antivirus Antispyware 2011

Image
hxxp://scaner-bigapi.tk/security_essentials/?afid=164

Image

Image
Attachments
pass=malware
(130.3 KiB) Downloaded 82 times
Last edited by EP_X0FF on Sat Apr 16, 2011 8:00 am, edited 1 time in total. Reason: Screenshot resized to be more accurate

Re: Rogue antimalware (FakeAV, FakeAlert)

 #5825  by Meriadoc
 Wed Apr 06, 2011 8:47 am
cont...

make sure you have volume down, I had my speakers turned right up and nearly jumped out of my skin when 'she' said 'new virus found'

more screens, plus a one day special :)

Image

Image

atm I'm only able to tell you several start up entries made, processes hide in program files folder example : Process systemoperating.exe C:\program files\internet explorer\connection wizard\systemoperating.exe

CleanThis Fake Scanner Webpage

 #5876  by ngyikp
 Sat Apr 09, 2011 4:46 pm
Fake scanner page:
hxxp://scanpcnow.cz.cc/scan/dim_sp/free/

Image

Win XP My Computer layout, but with Win7 icons instead. FAIL
Image

Downloads CleanThis, reuploaded just for archival sake
Code: Select all
freesystemscan.exe
d2fbf8032d5ad07e8cee6912d922807c
72021438d2c49703be4acfa20d16c106b38cdabb
c41259f3
Attachments
password: infected
(550.48 KiB) Downloaded 63 times
Last edited by EP_X0FF on Sat Apr 16, 2011 8:01 am, edited 1 time in total. Reason: Screenshots resized to be more accurate

Best Malware Protection

 #5879  by ngyikp
 Sun Apr 10, 2011 2:31 am
Best Malware Protection

Downloader/Dropper
Image

Can't download the payload file, keeps disconnecting for me
Attachments
password: infected
(241.76 KiB) Downloaded 82 times
Last edited by EP_X0FF on Sat Apr 16, 2011 8:02 am, edited 1 time in total. Reason: Screenshot resized to be more accurate

Antivirus Clean 2011

 #5915  by bitx
 Wed Apr 13, 2011 7:31 am
Antivirus Clean 2011

Image
Attachments
password=malware
(1.43 MiB) Downloaded 90 times
Last edited by EP_X0FF on Sat Apr 16, 2011 8:03 am, edited 1 time in total. Reason: Screenshot resized to be more accurate
 Topic locked
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 34
 Return to “Malware”