KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2013 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=75

Page 12 of 15

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Mon Sep 16, 2013 4:05 pm
by Blaze
Antivirus Security Pro

Now includes epic batch file to stop services and Windows notifications.

Attached: dropper + .bat

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Tue Sep 17, 2013 12:05 pm
by Xylitol
Sinergia Cleaner
https://www.virustotal.com/en/file/bc05 ... 379419031/
Code: Select all
GET /?action=resources&id=4945603f359
Host: fufel-av-2.com
---
GET /?action=install&id=4945603f359&os=xpProsp3&advertid=103
Host: fufel-av-2.com
---
GET /?action=checklic&id=4945603f359&os=xpProsp3
Host: fufel-av-2.com
---
GET /?id=4945603f359
Host: www.fufel-av.com

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Tue Sep 17, 2013 2:02 pm
by Win32:Virut
0 byte file for me:
Code: Select all
hxxp://barcarey.com/index.php?c=

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Tue Sep 17, 2013 4:52 pm
by Grinler
This seems a little bugged as it does not appear to set an autorun of any sort.

Any of you reversing gurus know more about this out.pk file that is downloaded by the rogue at this url:

fufel-av-2.com/?action=resources&id=4974203f359

It appears to be a container of some sort that contains numerous image files and a config.txt file. It then stores this file as a reg_binary value in HKEY_CURRENT_USER\Software\Protection "registry_rsrc_parameter".

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Thu Sep 19, 2013 7:57 am
by Xylitol
dumped in attach, Sinergia Cleaner is a bit tricky with anti debug he change the debug flags.
Code: Select all
Modified debug registers of main thread
DR2: old 7C91D040, new 00000000
DR3: old 00401000, new 00000000
DR7: old 00002140, new 00000000
https://www.virustotal.com/en/file/cc71 ... 379577426/

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Sep 20, 2013 3:48 pm
by jumbofreak
>>It appears to be a container of some sort that contains numerous image files and a config.txt file. It then stores this file as a reg_binary value in HKEY_CURRENT_USER\Software\Protection "registry_rsrc_parameter".[/quote]

Looks like its encrypted config file , with resoucrce and image info for different flavours to pull, You can decrypt that reg binary with Xor key 44.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Sep 20, 2013 7:37 pm
by Xylitol
Mobile Defender (Android FakeAV)
https://www.virustotal.com/en/file/4732 ... 379705657/
Code: Select all
payement: hxtp://robomerch.com/p/?group=amd&ver=0001&ps=85000

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Sep 20, 2013 7:38 pm
by thisisu
Internet Security 2014 (FakeRean)

MD5: 83e561c5b8c4337f91167d0ac65cea47

https://www.virustotal.com/en/file/7f36 ... 379705631/

Win32.Winwebsec

PostPosted:Mon Sep 30, 2013 8:44 am
by zyymartin
Hi,Win32.Winwebsec has a new version now,most of the antivirus software can't detect the new Win32.Winwebsec
Security Observer's Report
http://www.atvirus.net/?p=2121
11.jpg
11.jpg (133.65 KiB) Viewed 641 times

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Oct 04, 2013 4:08 pm
by Blaze
Kudos to @ydklijnsma.

Image

http://blog.0x3a.com/post/63080734846/a ... -antivirus
All times are UTC
Page 12 of 15
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/