Rogue Antimalware (FakeAV, 2010 year)
PostPosted:Mon Mar 22, 2010 2:56 pm
Special class of malicious software represented mostly by scareware.
Including fake antiviruses, anti spywares, antikeyloggers etc
Also may include additional malware at board, or downloading more stuff from internet, just acting like trivial trojan downloader or trojan multiple dropper.
Some fake av's downloaded with TDL3 rootkit for example or downloading it.
This class of malicious programs mostly written on Delphi (but listed below is exception).
They have quickly made GUI with a lot of graphics. Sometimes they even looking very good (Internet Security/Security essentials 2010 trojan).
While installation period they set itself to load with Windows usually via common registry keys. Sometimes rogue antimalware are trying to terminate
all running in background processes (excluding system processes of course) to avoid detection and removal.
All of them has inside few hardcoded detections (virus names, their fiction description) that user must to watch. And all of them asking for your money to be "activated", "updated" etc.
PCDefender from Misha
(Misha is author name, string found inside executables -> C:\Users\Misha\Documents\Visual Studio 2010\Projects\Antispyware\Release\Antispyware.pdb)
VirusTotal
http://www.virustotal.com/analisis/5ae5 ... 1269269107
Keep additional process loaded proccheck.exe. It is playing role of watcher to resurrect main process of fake av if it will be terminated.
Set itself to autorun through
GUI with detections of course

Viruses found!

Removal is trivial. Suspend proccheck.exe, terminate main executable and then terminate proccheck.exe, cleanup registry entry and remove files from disk.
Next perform full system scan with few antiviruses.
If you have more rogues with analysis you have made - feel free to post it here ;)
Sample attached.
MD5
e4d4a59494265949993e26dee7b077d1
SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163
Including fake antiviruses, anti spywares, antikeyloggers etc
Also may include additional malware at board, or downloading more stuff from internet, just acting like trivial trojan downloader or trojan multiple dropper.
Some fake av's downloaded with TDL3 rootkit for example or downloading it.
This class of malicious programs mostly written on Delphi (but listed below is exception).
They have quickly made GUI with a lot of graphics. Sometimes they even looking very good (Internet Security/Security essentials 2010 trojan).
While installation period they set itself to load with Windows usually via common registry keys. Sometimes rogue antimalware are trying to terminate
all running in background processes (excluding system processes of course) to avoid detection and removal.
All of them has inside few hardcoded detections (virus names, their fiction description) that user must to watch. And all of them asking for your money to be "activated", "updated" etc.
PCDefender from Misha
(Misha is author name, string found inside executables -> C:\Users\Misha\Documents\Visual Studio 2010\Projects\Antispyware\Release\Antispyware.pdb)
VirusTotal
http://www.virustotal.com/analisis/5ae5 ... 1269269107
Keep additional process loaded proccheck.exe. It is playing role of watcher to resurrect main process of fake av if it will be terminated.
Set itself to autorun through
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitFunny screenshots with this rogue.
GUI with detections of course
Viruses found!
Removal is trivial. Suspend proccheck.exe, terminate main executable and then terminate proccheck.exe, cleanup registry entry and remove files from disk.
Next perform full system scan with few antiviruses.
If you have more rogues with analysis you have made - feel free to post it here ;)
Sample attached.
MD5
e4d4a59494265949993e26dee7b077d1
SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163