Page 3 of 6
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Tue Feb 11, 2014 3:43 am
by maddy
Hey,
look this fake Microsoft Security Essentials,
Dropped in %AppData%
Protector-ogxv.exe
Protector-htre.exe
Protector-ouuh.exe
Protector-cwnr.exe
guard-nrbt.exe
guard-htnd.exe
guard-ilud.exe
guard-fmrt.exe
proto-ortd.exe
proto-bles.exe
proto-godd.exe
proto-plop.exe
safe-dnfg.exe
safe-werj.exe
protectkonm.exe
protectbdlt.exe
protectbqpo.exe
svc-hmds.exe
svc-mdqs.exe
Windows Antivirus Booster
PostPosted:Tue Mar 04, 2014 7:32 pm
by bitstechs
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Fri Mar 07, 2014 1:46 am
by bitstechs
Anyone else have the latest variants of this virus? I'm trying to hunt for them but it's rough. Malwarebyte's forums has tons, but I've yet to get invited into their malware hunter group.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Thu Mar 13, 2014 6:41 pm
by Ormu
Cody Johnston wrote:
dairu87 wrote:It also dumps around 10-12 randomly named .exe's into the syswow64 directory.
Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)
Ok, this is probably a different one but I remember some fake-AVs that create dozens or hunderds of small (empty?) .exe files in the system directories to be used as their "targets". They were named like those identification names used by real AVs, such as "W32.Trojan873426.exe" so when the victim sees them he thinks they are real. I think "SoftSoldier" was one of the fake AV programs that did this.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sat Mar 22, 2014 8:03 pm
by thisisu
Credits to BornSlippy for posting these on MBAM forums. Just wanted to share with others that want to experiment as well. ;)
Password is infected
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sat Mar 22, 2014 8:09 pm
by thisisu
.. continued from
http://www.kernelmode.info/forum/postin ... 04#pr22523
All from the month of March. All FakeVimes.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sat Apr 05, 2014 7:02 pm
by bitstechs
Thanks Thisisu!
Keep them coming from the malwarebytes forum if you can, I'm still trying to gain some access.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Mon Apr 07, 2014 3:06 am
by thisisu
Credits to BornSlippy of MBAM for finding and posting these
The .ico of Windows Internet Watchdog:
pass is infected
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Thu Apr 10, 2014 7:39 pm
by bitstechs
Windows Internet Guard
Pulled from a computer today
VT Detection Ratio: 29/51
https://www.virustotal.com/en/file/1faa ... 397158271/
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sun Apr 20, 2014 12:11 am
by thisisu
Cool :)
Another
Windows Internet Guard credits to BornSlippy @ MBAM
pass: infected
https://www.virustotal.com/en/file/fe29 ... /analysis/
