KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2011 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2233

Page 6 of 34

FakeSysdef

PostPosted:Wed Mar 16, 2011 2:29 am
by egomoo
Is there anyone has new rogue "Windows Diagnostic" or "System Diagnostic"

thanks very much if you could post the sample here

Image

E-Set Antivirus 2011

PostPosted:Wed Mar 16, 2011 1:33 pm
by Meriadoc
E-Set Antivirus 2011

VT - http://www.virustotal.com/file-scan/rep ... 1300280043 0/40

Image
AVG icon/E-Set (play on eset?) seems familiar.

edit : could not get to run in a vm or sandbox and I'm not able to use a real machine atm. If someone could show some screen that would be much appreciated :)

E-Set Antivirus 2011

PostPosted:Wed Mar 16, 2011 3:05 pm
by ngyikp
Meriadoc wrote:E-Set Antivirus 2011
Found a way to run this in a VM: create a file called "nvm.ch" at the folder of the dropper, %programfiles%\E-Set\, and %windir%\system32

Oh my... this FakeAV steals the AVG logo and interface, rips off ESET's name AND copies Norton and Panda (and probably BitDefender as well) to fill the web site

SCREENSHOTS:
Downloader:
Image

Main window:
Image

Security overview:
Image

Annoy screens:
Image
Image
Image
"... malicious backdoor Trojan that will cause complete chaos for both you and your computer."
Image
Image

Hijacks Internet Explorer, Firefox, Opera, Google Chrome and Safari via Image File Execution Options
Image

Internet Explorer Emergency Mode:
Image
Image

WARNING: Visiting this web site may cause deja vu!
_hxxp://secure.zsecuritymall.com/
Image

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Mar 16, 2011 9:48 pm
by Xylitol
Meriadoc, sorry for the late response i've see your private message but i was busy :s
some additional informations

main:
Image

Anti-analyzes (and just a tiny part):
Image

badboy:
Image

First key "=" is a launch protection and "<" mean the rogue is registered, another key defind also if we active the "Internet Explorer Emergency Mode" or if we deactive it but i was bored to search in the junk for find the good one.
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\A88B44]
"fhgbcglanhmbignajg"="<"
"chacffld"="="
Serial to register: ABC12-DEF34-GHI56-JKL789
The original binary "setup.exe" make a copy of himself in \%systemroot%\System32 with the name "msiexecs.exe"

Re: Malware Requests

PostPosted:Fri Mar 18, 2011 6:53 pm
by PX5
Windows Diagnostics will come out of this thread, last page, last post by markusg

http://www.kernelmode.info/forum/viewto ... 7&start=20

Re: Trojan.Advload

Postby markusg » Thu Mar 17, 2011 10:55 am

your_exe.rar
(26.83 KiB)

CleanThis

PostPosted:Sat Mar 19, 2011 4:03 am
by Xylitol
CleanThis

CleanThis rogue
https://www.virustotal.com/file-scan/re ... 1300493133

Image

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sat Mar 19, 2011 4:06 am
by EP_X0FF
ThinkPoint remake?

Re: Malware Requests

PostPosted:Sat Mar 19, 2011 10:56 am
by PX5
This is an older loader I believe will install what you want, I will grab the other identical looking loader off my test machine later today.

System Defender

PostPosted:Mon Mar 21, 2011 2:26 pm
by Striker
System Defender
(Installer from the new fake scan pages)

Only a .dll file. The file is hidden and works only with rundll32.exe

Screenshots:

Image

Image

Quick System Cleaner

PostPosted:Mon Mar 21, 2011 2:31 pm
by Striker
Quick System Cleaner

Installer incl. Patch.
Homepage: hxxps://pcbug-repair.com/download.htm

Screenshot:

Image
All times are UTC
Page 6 of 34
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/