KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2010 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2232

Page 2 of 8

Re: Rogue.Digital Protection (+Added TDSS)

PostPosted:Tue Apr 13, 2010 4:15 am
by EP_X0FF
Hi Ade,

thanks for the sample.

It is downloading Digital Protection executable from 91.212.127.19.

Seems to be previously this crap was named "Malware Defense". Looks like parody on NOD32 lol.

It contains dll that performs hooking (splicing method) of CreateProcessW function in explorer.exe
Replaces standard Windows Security Center with it's own fake.

Image
Image

Keeps connection with ns.km30339.keymachine.de

Digital protection folder :)
Size 7.35 Mb, with some mp3 files.
pass: malware

http://www.megaupload.com/?d=DX9BBM00

Antivirus Suite

PostPosted:Tue Apr 13, 2010 1:45 pm
by NOP
Antivirus Suite

Drops to App Data\[7randomchars]\[same7randomchars].exe

Image

Packed with a custom packer and UPX.

Antivirus Plus

PostPosted:Wed Apr 14, 2010 6:22 am
by EP_X0FF
Antivirus Plus

VirScan (downloader)
http://virscan.org/report/5d186b14ac8f1 ... 5eefb.html

VirScan (payload dll)
http://virscan.org/report/1a37c7e17e0b2 ... edd3e.html

GUI
Image

RegisterMe dialog
Image

Start itself through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as rundll32.exe c:\documents and settings\<user name>\application data\antivirus plus\antivirus plus.1.dll

FakeAV downloader and its payload AntivirusPlus dll in attach, enjoy :)

XP Security Tool

PostPosted:Fri Apr 16, 2010 5:21 am
by EP_X0FF
XP Security Tool
(reincarnation of Xp Defender)

VirScan
http://virscan.org/report/4d392b2743665 ... 445c7.html

Jotti
http://virusscan.jotti.org/en/scanresul ... 7572a2a26d

Behavior the same :)

Image

Removal: terminate fakeav process, locate and eradicate executable, usually stored inside X:\Documents and settings\<user name>\Local Settings\Application Data as executable file with hidden file flag set.

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Fri Apr 16, 2010 3:37 pm
by NOP
Had that yesterday, but was called XP Smart Security, reinfected and got the name above. Name seems to vary, a friend of mine's girlfriend got infected with it but it was called Vista Security Tool.

See what I mean here. The same loader(a PPI one) executed 3 times in as many minutes gave me 3 different window titles.

http://i40.tinypic.com/2ed2vdu.png
http://i40.tinypic.com/2cibvaq.png
http://i44.tinypic.com/k1s4zb.png

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Mon Apr 26, 2010 3:08 pm
by EP_X0FF
I believe this is the same hxxp://globalinformationsecurity.com/buy.html

Image

As well as:

PC Care Live
Your Security
Your Security Plus
Live PC Antispyware
Global Information Security

Antivirus 7

PostPosted:Sun May 02, 2010 4:53 am
by EP_X0FF
Antivirus 7

Image

Fake AV with built-in robot powered chat :) Written in CodeGear RAD Studio.

Has aggressive behavior - terminates all starting applications as "infected" (timer with windows scan).

VirusTotal
http://www.virustotal.com/ru/analisis/0 ... 1272774609
http://www.virustotal.com/ru/analisis/2 ... 1272775807

GUI
Image

Bot powered chat
Image

Detection
Image

Download and installs itself to X:\Program Files\AV7 (X - system disk letter)

Set itself to autorun via HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.

Removal - boot into safe mode and remove startup registry entry along with executable. Or use something with self-protection against termination. Fake av is trying to inject remote threads in starting applications.

AKM Antivirus 2010

PostPosted:Wed May 05, 2010 11:43 am
by EP_X0FF
AKM Antivirus 2010

VirusTotal dropper
http://www.virustotal.com/analisis/aa5b ... 1273059734

additional components
http://www.virustotal.com/analisis/22e0 ... 1273059803
http://www.virustotal.com/analisis/f9d2 ... 1273059813

Aggressive behavior - terminates starting applications as "infected".

Drops "svchost.exe" to C:\Program Files\, then starts main executable from C:\Program Files\AKM Antivirus 2010 Pro folder.
svchost.exe has guard abilities - it restarts fake av, if it was terminated and fool users because it is nearly impossible to find it in taskmanager.
Replaces security control center with it own HTML-based fake.

Set itself to autorun as service AdbUpd
Additionally set itself to start as handler of Executable files - HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
C:\Program Files\alggui.exe "%1" %*

So without cleaning registry this fake av is dangerous to remove.

GUI
Image

Detections
Image

"Support"
Image

Security Central

PostPosted:Fri May 07, 2010 11:22 am
by NOP
Security Central

Image

Installs to %Program Files%\Security Central\Security Central.exe

Runs via HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run "Security Central" %Path%

Terminates any process that doesn't have a system name(svchost.exe, etc).

Removal: Copy taskmgr anywhere and rename to svchost.exe, kill Security Central.exe and delete the file from disk, open regedit and delete the registry key.

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Fri May 07, 2010 2:11 pm
by EP_X0FF
I remember this one http://forum.sysinternals.com/fake-av-s ... 22043.html :)
All times are UTC
Page 2 of 8
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/