KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2011 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2233

Page 8 of 34

Antimalware Tool

PostPosted:Sun Apr 03, 2011 9:16 pm
by Xylitol
Antimalware Tool

Image

Image

Antimalware Tool and fake scanner page with deobfuscated version incl
https://www.virustotal.com/file-scan/re ... 1301865042
https://www.virustotal.com/file-scan/re ... 1301865350

MS Removal Tool

PostPosted:Tue Apr 05, 2011 12:55 am
by Triple Helix
Best Antivirus
http://www.virustotal.com/file-scan/rep ... 1301964576

hxxp://antispyware-apps.co.cc/fast-scan/

TH

MS Removal Tool

PostPosted:Tue Apr 05, 2011 11:46 am
by ngyikp
Triple Helix wrote:BestAntiVirus2011
MS Removal Tool, nothing too special
Image

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Tue Apr 05, 2011 1:29 pm
by peet
BestAntivirus2011

I started this in a VM, XP pro SP3, it leaves a "residue" file and tries to launch an encrypted process. Unfortunately my skills are limited.
Code: Select all
00442B3F   0F3F             ???                                      ; Unknown command
00442B41   07               POP ES                                   ; Modification of segment register
00442B42   0BC7             OR EAX,EDI
00442B44   45               INC EBP
00442B45   FC               CLD
00442B46   FFFF             ???                                      ; Unknown command
00442B48   FFFF             ???                                      ; Unknown command
00442B4A   C745 FC FEFFFFFF MOV DWORD PTR SS:[EBP-4],-2
00442B51   EB 20            JMP SHORT BestAnti.00442B73
00442B53   B8 01000000      MOV EAX,1

Kanal detected 2 crypto processes
aPLib :: 000542C6 :: 004CE8C6
MD5 :: 000159B1 :: 004165B1

Antivirus Antispyware 2011

PostPosted:Tue Apr 05, 2011 8:47 pm
by Meriadoc
Antivirus Antispyware 2011

Image
hxxp://scaner-bigapi.tk/security_essentials/?afid=164

Image

Image

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Apr 06, 2011 8:47 am
by Meriadoc
cont...

make sure you have volume down, I had my speakers turned right up and nearly jumped out of my skin when 'she' said 'new virus found'

more screens, plus a one day special :)

Image

Image

atm I'm only able to tell you several start up entries made, processes hide in program files folder example : Process systemoperating.exe C:\program files\internet explorer\connection wizard\systemoperating.exe

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Apr 06, 2011 9:52 am
by Maxstar
Meriadoc wrote:make sure you have volume down, I had my speakers turned right up and nearly jumped out of my skin when 'she' said 'new virus found'
I was surprised to when i heard the virus warning after I installed these sample. :lol:
http://www.pcwebplus.nl/phpbb/viewtopic ... 599#p12599

CleanThis Fake Scanner Webpage

PostPosted:Sat Apr 09, 2011 4:46 pm
by ngyikp
Fake scanner page:
hxxp://scanpcnow.cz.cc/scan/dim_sp/free/

Image

Win XP My Computer layout, but with Win7 icons instead. FAIL
Image

Downloads CleanThis, reuploaded just for archival sake
Code: Select all
freesystemscan.exe
d2fbf8032d5ad07e8cee6912d922807c
72021438d2c49703be4acfa20d16c106b38cdabb
c41259f3

Best Malware Protection

PostPosted:Sun Apr 10, 2011 2:31 am
by ngyikp
Best Malware Protection

Downloader/Dropper
Image

Can't download the payload file, keeps disconnecting for me

Antivirus Clean 2011

PostPosted:Wed Apr 13, 2011 7:31 am
by bitx
Antivirus Clean 2011

Image
All times are UTC
Page 8 of 34
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/