KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2010 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2232

Page 3 of 8

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Thu May 13, 2010 2:02 am
by egomoo
Image

desktop security 2010

it random select folder under %programfiles% to combine the infected fiels

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<MicrosoftHXVZUI><c:\program files\common files\microsoft shared\help\1028\hxdsuimicrosoft.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<clientshutdownStudio><c:\program files\common files\microsoft shared\corecon\1.0\target\wce400\mipsii\cmacceptstudio.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<MicrosoftFramework><c:\program files\microsoft visual studio 8\common7\ide\xml\2052\microsoftxmleditorui.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<MsoEuroOffice11.0.5510><c:\program files\common files\microsoft shared\euro\microsoftoffice.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
<ModuleHideHelper><c:\program files\360\360se\plugin\hidehelper\modulehidehelper.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
<TortoiseSVNTortoiseOverlays><c:\program files\common files\tortoiseoverlays\tortoiseoverlaystortoisesvn.exe>

online scan result:
http://www.virustotal.com/analisis/7778 ... 1273664227

Re: Microsoft Security Essentials Clone

PostPosted:Thu May 13, 2010 2:13 am
by egomoo
a new one log

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]
<Userinit><c:\windows\system32\winlogon32.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
<Shell><c:\windows\system32\pgsb.lto>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
<kulmgqqut><c:\windows\system32\kulmgqqut.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
<Security essentials 2010><c:\program files\securityessentials2010\se2010.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
<kulmgqqut><c:\documents and settings\administrator\kulmgqqut.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
<smss32.exe><c:\windows\system32\smss32.exe>
[system file infected or corrupted]
<system file infected or corrupted><C:\WINDOWS\System32\drivers\ndis.sys>

online scan :http://www.virustotal.com/zh-cn/analisi ... 1273702580

Antispyware Soft

PostPosted:Fri May 14, 2010 9:04 pm
by wealllbe20
Antispyware Soft

Image

since everybody else is posting this stuff.

Thsi malware is very similar to nop's on page 1.
it will only load if an internet connection is present.


this is not the hardest one to get rid of as it does not infect the .exe portion of the registry.

but every time you load any executable .com, .exe , scr it will tell you it's infected.

here are my notes from many months ago dealing in removing this stuff when it was everywhere.
Code: Select all
made user go to c:\windows\system32

taskmgr.exe was not found
taskkill.exe was not found
tasklist.exe was not found
user was displaying hidden files and protected operating system files

we did a start then run:

made user type in:
cmd /k copy c:\windows\system32\taskmgr.exe c:\explorer.exe
Error came up and it appeared to block the command but explorer.exe was copied to c:\
made user try to run taskmgr.exe as c:\explorer.exe it was blocked by malware.
I then made user try
to run the command
cmd /k copy c:\windows\system32\taskmgr.exe c:\iexplore.exe
malware appeared to block but file was displayed.
then were able to pull up taskmgr as c:\iexplore.exe
we killed many processes that were not needed or seemed to be malicious

after taking control of machine i found out the only processes that needed to be killed was xkiffaei.exe located in %userprofile%\local settings\temp

we then tried to go to google but failed.

we then unchecked a proxy server that was pointing to 127.0.0.1:5555

obviously some malware acting as a redirection proxy.

After unchecking proxy connection

was able to goto google.com and ultimately gotoassist.com
and took control of machine

ran runscanner it seemed to be only that 1 process.
took it out of autostart and deleted the underlying file.


as a note rundll32.exe was running so a possible rouge dll.

No rootkit was detected
via the newest version of gmer renamed a random filename.

restarted machine
then ran hitmanpro and it found 0 infections.

My Security Engine

PostPosted:Tue May 18, 2010 11:07 pm
by B-boy/StyLe/
My Security Engine

Image

Regards,
G.

Virus Protector

PostPosted:Fri May 21, 2010 5:57 am
by EP_X0FF
Virus Protector

Downloader
http://www.virustotal.com/analisis/ffb5 ... 1274420551

FakeAV itself
http://www.virustotal.com/analisis/f0c2 ... 1274420870

GUI
Image

You are sending SPAM!

Image

Payme dialog

Image

Danger
Image

Dropped to %systemroot%\system32 folder with random name (sample attached). Gives many alerts, popups etc.
Set itself to autorun via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

Funny string from the inside, including embedded list of detections.
f:\_work\VProtector\Release\promo.pdb

SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
WinDefend
DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr

gawab.com
fbi.gov
inbox.com
live.com
msn.com
hotmail.com
rocketmail.com
us.army.mil
mail.com
gmx.com
yahoo.com
gmail.com

Worm Attack
Smurf Attack
Storm botnet
Land Attack
DDOS attack
Trojan.Kreeper.588
Trojan.Bdsearch.103
Dialer.4562.355
Dialer.4706.387
Worm.Autoit.451
Trojan.PoisonIvy.227
Trojan.Dropper.Pykspa.355
Dialer.4633.2
Trojan.Bzub.381
Dialer.4710.436
Trojan.Obfus.193
Trojan.Hasik.559
Trojan.Downloader.Reipym.764
Trojan.Goldun.750
Dialer.4603.42
Trojan.Servu.29
Dialer.4677.215
Trojan.Alureon.315
Worm.Fujack.337
Worm.Waledac1.236
Dialer.4580.386
Trojan.Hasik.78
Dialer.4553.136
Trojan.Thous.13
Trojan.Gamecrack.1
Dialer.4660.437
Worm.Delf.710
Trojan.Rootkit.79
Exploit.SWF.168
Trojan.Hydraq.687
PwTool.Yahoo.SmartMasPass.295
Dialer.4617.346
Trojan.Spy.529
Dialer.4732.361
Trojan.Swizzor.718
Dialer.4704.156
Trojan.HackSrvany.120
Trojan.Hasik.670
Dialer.4641.111
Trojan.VanBot.815
Adware.Admoke.131
Trojan.Redvip.628
Trojan.Hdkill.839
Trojan.BHO.268
Trojan.Agent.Banker.672
Trojan.Thous.118
Worm.VB.762
Dialer.4697.578
Dialer.4621.426
Trojan.Spy.Gwghost.124
Worm.NetSky.669
Trojan.Conhook.757
Dialer.4737.659
Worm.Agent.664
Trojan.OSX.RSPlug.F.dmg.338
Worm.Joleee.202
Trojan.Dumador.474
Trojan.Bravix.105
Dialer.4653.258
Trojan.Patched.728
Trojan.Agent.228
Trojan.Winwebsec.812
Trojan.Stuh.76
Dialer.4642.373
Dialer.4630.468
W32.Sality.692
Trojan.Banker.664
W32.Lafon.104
Dialer.4556.347
Trojan.CDur.255
Trojan.Messah.321
Worm.Waledac1.3
Adware.FakeInstall.144
Trojan.WOW.149
Trojan.Vaklik.782
Hacktool.Crack.Megaupload.466

Antivirus PC 2009

PostPosted:Sun May 23, 2010 1:17 pm
by EP_X0FF
Antivirus PC 2009

from xenophobia (russian script-kiddie)

VirusTotal
http://www.virustotal.com/analisis/a074 ... 1274620385

Used ClamAV engine
*** DON'T PANIC! Read http://www.clamav.net/support/faq ***
*** This version of the ClamAV engine is outdated. ***
*** Please update it as soon as possible. ***
*** The virus database is older than 7 days! ***
*** Please check the timezone and clock settings ***
*** Virus database timestamp in the future! ***

GUI

Image

Payme dialog

Image

Set itself to autorun via HKCU\Software\Microsoft\Windows\CurrentVersion\Run and
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys

as
cmd /C cd "C:\Program Files\Antivirus PC 2009" && start avpc2009.exe
d:\xenophobia\2\1\Release\avpc2009.pdb

Your computer is being attacked by an Internet Virus.
It could be a password-stealing attack, a trojan-dropped or similar.
Antivirus PC 2009
Antivirus PC 2009 Warning: Antivirus PC 2009 has detected harmful software in your system. It is strongly recommended to register Antivirus PC 2009 to remove these threats immediately. Click
to fix these errors.
Exit Antivirus PC 2009
Shell_TrayWnd
Signature bases are not up to date.
Please click "OK" to update it now, or click "Cancel" to update later.
support.html
Antivirus PC 2009
System Error
ClamAV Antivirus|GPL|Sourcefire Inc|Gianluigi Tiesi|<sherpya@netfarm.it>
URL inside binary
hxxp://antiviruspc-update.com:8080/

My Security Engine

PostPosted:Sun May 23, 2010 4:29 pm
by EP_X0FF
B-boy/StyLe/ wrote:My Security Engine

Regards,
G.
Seems to be the same as http://forum.sysinternals.com/fake-av-s ... 22033.html (also known as Live PC Guard and million of different names)

You uploaded just a downloader :D
Payload is cool. Written on Delphi (or whatever from CodeGear, yet another russian script-kiddie work).

http://www.virustotal.com/analisis/c149 ... 1274632111

GUI
Image
Image

Contains internal black list of antiviruses (SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)
SOFTWARE\Agnitum\Security Suite\
SOFTWARE\ComodoGroup\CDI\
SOFTWARE\AVG\
SOFTWARE\BitDefender\BitDefender Antivirus 2008\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E58B329B-FB28-4874-90DE-0D7CB2709267}\
SOFTWARE\Data Fellows\F-Secure\
SOFTWARE\KasperskyLab\
SOFTWARE\rising\Rav\
SOFTWARE\Sophos\SAVService\Application\
SOFTWARE\Symantec\Norton AntiVirus\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WebrootDesktopFirewall.exe\
SOFTWARE\Eset\Nod\
SOFTWARE\Zone Labs\ZoneAlarm\
SOFTWARE\ALWIL Software\Avast\
almost forgot..

run itself through HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key
drops itself (winxp) to Documents and Settings\All Users\Application Data\randomhexvalue hidden folder.

Windows Protector or XJR Antivirus

PostPosted:Mon May 24, 2010 1:15 pm
by EP_X0FF
Windows Protector or XJR Antivirus

Downloader VT
http://www.virustotal.com/analisis/8f6e ... 1274705855

FakeAV VT
http://www.virustotal.com/analisis/21fa ... 1274706179

Aggressive behavior - terminates starting applications as "infected".

GUI

Image

Detections

Image

Payme dialog

Image

Fake "Error Reporting" dialog

Image

Aggressive behavior makes some trouble with removal.
This fake av modifies registry HKEY_CLASSES_ROOT\exefileile type handler keys, making system unworkable after malware removal from Safe Mode.
However applying exported registry data from different computer or backup solving problem.
Both - downloader and fakeav itself are attached.

Trojan.Win32.Tdss.beea

PostPosted:Wed Jun 09, 2010 10:02 am
by Jaxryley
Could one of the experts check this one out?
Code: Select all
hxxp://networksportsgo.com/cgi-bin/153/n002106203302r000cXc0dc77a8Y8cd2af8bZ0100f0600
Result: 1/41 (2.44%)
Kaspersky 7.0.0.125 2010.06.09 Trojan.Win32.Tdss.beea
http://www.virustotal.com/analisis/0b4e ... 1276077380
(401.58 KiB) Downloaded 67 times

Re: Trojan.Win32.Tdss.beea

PostPosted:Wed Jun 09, 2010 10:11 am
by EP_X0FF
Damaged PE file (removed MZ signature bytes in header). After small addition new VT result is awesome :)

http://www.virustotal.com/analisis/82c2 ... 1276078005

equal to http://www.kernelmode.info/forum/viewto ... 1247#p1247
All times are UTC
Page 3 of 8
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/