Page 7 of 34
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Wed Mar 23, 2011 11:07 am
by EP_X0FF
@Striker
Malware samples and links to malware are permitted, but you must obfuscate a link (ie. hxxp://, NOT http://) and clearly show that a link is malware. This is to ensure people don't accidentally infect themselves.
Forum rules
Your post has been edited.
XP Anti-Spyware 2011
PostPosted:Sat Mar 26, 2011 11:27 am
by Meriadoc
XP Anti-Spyware 2011
XP Anti-Spyware 2011, couldn't find it here so,
I haven't run this but here is an old pic, basically the same with a change of date
VT -
http://www.virustotal.com/file-scan/rep ... 1300956690 22/43
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Sat Mar 26, 2011 9:16 pm
by peet
XP antispyware 2011 is an odd beast.
Disables Malwarebytes, MSE
Disables Firewall and updates
Blocks websites
But:
Runs in VMware, you can run installed software like CCleaner or a debugger (wut?)
After RKill and starting Mbam is does remove this rogue, but leaves a damaged Windows update, damaged service which you can not turn on.
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Sat Mar 26, 2011 11:25 pm
by SUPERIOR
@peet completely agree with ...anyone else analyzed it? i tested it and something fishy was going on its like rootkit :shock:
i got this
suspicious: \\?\globalroot\device\harddiskvolume1\windows\temp\srvc04.tmp
which i guess dll runs under "svchost" process
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Sat Mar 26, 2011 11:51 pm
by peet
I ran the above xp-antispyware sample through the comodo / anubis analysers and I think a real debugger might have a look at this. There is unusual traffic, and it seems to inject something that is debug resistant.
But I am not a real debugger.
http://camas.comodo.com/cgi-bin/submit? ... e590916991
http://anubis.iseclab.org/?action=resul ... ormat=html
MS Removal Tool
PostPosted:Mon Mar 28, 2011 12:48 pm
by bitx
MS Removal Tool
Screenshot:
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Tue Mar 29, 2011 7:22 am
by Xylitol
yumm anti vmware :)
ascii dump:
Code: Select all00A31FF0 ¾.ú–Ø)ÌgWNDS-S0DF5-GS5E0-FG14S-2DF8G¦..WNDS-JUYH3-24GHJ-
00A32030 HGKSH-FKLSD¦..WNDS-89OF7-7324R-5SAD4-TG68U¦..WNDS-HFVDR-9844O-U5
00A32070 4DA-5TBSC¦..WNDS-G8FB6-1V87S-DRT1S-63SRG¦..WNDS-4BGY2-JY4KO-IT98
00A320B0 Y-7HJ43¦..WNDS-5D1V2-XB0D5-JT1TY-97DS3¦..WNDS-F40SA-1ER5H-4FG5D-
00A320F0 F8412¦..WNDS-SERFH-2642S-F04SD-64FG1¦..WNDS-S0DF5-GS5E0-FG14S-2D
00A32130 F8G¦..WNDS-452S3-ER00F-TSE35-S8FSD¦..WNDS-FGS5D-649RG-4S53D-412S
00A32170 F¦..WNDS-4TS8R-D6F5D-4JH8T-U4JK5¦..WNDS-2AE32-1VFC2-B6894-G67YU¦
00A321B0 ..WNDS-P9685-4H41A-DSW3A-2R64T¦..WNDS-5SRTS-AEHUF-YA54S-D6F35¦..
00A321F0 WNDS-A1SDF-RY4E8-7U98D-F1GB2¦..WNDS-A1SDF-6AS4D-RF5RE-79G84¦..WN
00A32230 DS-TTUYJ-7UO54-G561H-J1D6F¦..WNDS-G84H6-S854F-79ZA8-W4ERS¦..WNDS
00A32270 -6W954-FX65B-41VDF-8G4JI¦..WNDS-U94KO-LF4G4-1V8S1-2CRFE¦..WNDS-T
00A322B0 GN15-RFF29-AASDJ-ASD65¦..AAAA-BBBBB-CCCCC-DDDDD-EEEEE¦..........
XP Total Security
PostPosted:Tue Mar 29, 2011 7:51 pm
by Xylitol
XP Anti-Spyware
PostPosted:Fri Apr 01, 2011 4:00 am
by EP_X0FF
XP Anti-Spyware
The same "XP Anti-Spyware" as posted above, but without "2011" in name :) Has RU/UA origin.
d/l hxxp://109.94.220.52/lol2.exe
https://www.virustotal.com/file-scan/re ... 1301628843
Nothing really special, detections and their descriptions embedded as array of text strings and it choose them randomly.
Runs through
HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKCU\Software\Classes\.exe\Shell\Open\Command(Default) as
"X:\Documents and Settings\User\Local Settings\Application Data\xov.exe" -a "%1" %*"
So after removal you need to manually fix these entries ("%1" %*) otherwise .exe files wont start anymore.
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Sat Apr 02, 2011 8:54 am
by Xylitol
