Fraud/Rouge software

Forum for analysis and discussion about malware.

Fraud/Rouge software

Postby EP_X0FF » Sun Apr 25, 2010 5:05 pm

Copyright Violator

VirusTotal
http://www.virustotal.com/ru/analisis/326df344386b5cfbab77544d642df2d92bdf6d98ae2f00b6785a6e232ceac050-1272214106

Created to scare low experienced users, gives a lot of LOL's all others.
Written on CodeGear RAD Studio v12.0.3170.16989.

Installs itself to X:\Documents and Settings\<UserName>\Application Data\ApManager (or in appreciate directory in Users for Vista/7).

Image

Set to autostart via HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.
Changes wallpaper to the following

Image

Note: contains uninstaller :)
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Registry Tool

Postby EP_X0FF » Tue Dec 14, 2010 11:38 am

Registry Tool

Fraud tool.

http://www.virustotal.com/file-scan/rep ... 1292270683

runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Image
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Defragmenter

Postby EP_X0FF » Fri Dec 17, 2010 4:31 pm

Defragmenter

Fake defragmenter with aggressive behavior. Firstly mentioned by PX5 here.

Works like trojan muldrop.

Maps malware dll to Explorer.exe memory, this dll responsible for throwing idiotic scary messages to user (like "Disk error" etc).
Terminates starting by explorer programs.

Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Image

Image

http://www.virustotal.com/file-scan/report.html?id=6e2529f643b88334bde1e0149ae8dec5bc37a58fb223f91de3b299bd00598c26-1292602183
http://www.virustotal.com/file-scan/report.html?id=8729630443bfdb83c140b14b5fb549ee6f97247b734be67aa8f1e7afbc7ae22e-1292603379

Dropper attached. Removal - kill and erase both rouge processes, kill and restart explorer process to free it from rouge dll. Cleanup.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

SMS Send

Postby EP_X0FF » Fri Dec 17, 2010 5:25 pm

SMS Send

Just got this in ICQ :)

Masqueraded as WinRAR self extraction archive, for extraction ask to send SMS :)

Image

http://www.virustotal.com/file-scan/report.html?id=d482301fe93d15f52954ddeb13b81aa5fef9b5412d1cfa3827a00a1178f4743b-1292605745
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

HD Doctor

Postby EP_X0FF » Mon Dec 27, 2010 3:59 pm

HD Doctor

While initial installation displays custom shutdown dialog and reboots computer, after reboot runs through HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Written on Delphi/CBuilder whatever

Custom shutdown dialog
Image

GUI, a little hacked, because this crap doesn't correctly worked for me :)
Image

Payme dialog
Image

http://www.virustotal.com/file-scan/report.html?id=eac0a65d342f8a82287002772061a48a561406c238a833e6463ad603338b5dc5-1293464852
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Fraud/Rouge software

Postby Xylitol » Mon Dec 27, 2010 6:10 pm

tiny precision on HD Doctor the first time i've analyzed it i got pwned lol
i've thinked this one was a bug but not.
you need 8 icons on your desktop for run it 'full'
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

WinRARc

Postby EP_X0FF » Wed Jan 12, 2011 3:18 pm

WinRARc

This is quite interesting hoax, masqueraded as WinRAR archive.

Stuff coming from hxxp://rapidaloads4.ru/
To get sample download archive - ANY archive (which is actually executable packed by UPX).

Image

When started hoax displaying main window with "contents" of archive and waiting for user action.
Here also present EULA, where (highlighted by red) honestly written that this is hoax. lol

Image

You press "Extract", it's simulating some activity and then window is refreshed with "Select your country" stuff.
Be careful, because this buggy trash can crash if you select something except few countries in list. I suggest you to select first country in list.
Next it is wants some money - send 1 SMS to short number displayed on screen (numbers differs from country to country).
SMS price given in EULA, but nobody does not read EULA's, yes?

For Russia price for 1 SMS - 10$.

Once you send first SMS, it is asking second SMS :) And then it want third SMS.
Codes for this part 8109580, 2406415, 1645976.

So it's about 30$ only to get to this window
Now it is required to post tel number from which you send all 3 SMS previously.

Image

Code to get in - 2406415.

Finally you have what you want - list of torrents, they are even working.
Here also very cool description how to download torrent client and how to download torrent files from server.

Image

In simple words you are paying ~30$ and giving your phone number for FAQ how to install uTorrent and use Google. Obviously victims of this hoax are not really smart people.

Target site location hxxp://zakachalo6.ru
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Fraud/Rouge software

Postby Xylitol » Wed Jan 12, 2011 5:25 pm

Thanks for WinRARc explanation, i've tryed to crack it but it's a very hazrd stuff for me
I got another sample (more heavy, protected with vmprotect)
And similar to WinRARc...

Image

Image

Image

Size is ~15,0 Mb
Full undetect: http://www.virustotal.com/file-scan/rep ... 1294367394
Download: http://www.mediafire.com/?ubuz51m5ipmgb4a
See archive comment for password.

I've repicked your text for update my article about that if you are against tell me and i remove it
hxxp://xylibox.blogspot.com/2011/01/hoa ... llers.html
Last edited by EP_X0FF on Sun Feb 06, 2011 5:10 am, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Re: Fraud/Rouge software

Postby EP_X0FF » Wed Jan 12, 2011 5:31 pm

Cool, thanks for sharing.

I've repicked your text for update my article about that if you are against tell me and i remove it


It's Ok :)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Fraud/Rouge software

Postby Xylitol » Sun Jan 16, 2011 12:59 pm

New HoaxSMS about flash player
can be downloaded from: http://avast-russ.ru/FLASH10.exe
Image

VT: http://www.virustotal.com/file-scan/rep ... 1295179078
Seem EP have already check it :p
anyway something wrong not a fake installer about utorrent but about flash plugin
(just the site is about utorrent)
Image

Right after execution the following information is displayed:
Image

The EULA:
Image

Select a folder:
Image

Select an option and payd 3 SMS:
Image

The serial check as done online
URL: http://93.174.88.125/check_a_pass/
POST DATA: a_id=572&a_pass=serialHere

But we dont need to crack the file this time:
FLASH10.exe create a folder in %temp% called "extractor"
Image

Then it launch "SfxChecker.exe" who ask you for some SMS
But FLASH10.exe have also added in the temp folder a file called "7zr.exe" and "arch.7z"
When you have entered your 3 SMS the SfxChecker launch 7zr.exe (7-Zip by Igor Pavlov) and extract the file arch.7z
We can do that right ?

Code: Select all
C:\Documents and Settings\Administrateur\Bureau>7zr.exe e arch.7z

7-Zip (A) 9.12 beta Copyright (c) 1999-2010 Igor Pavlov 2010-03-24

Processing archive: arch.7z

Extracting Plugins_Portable_Flash_10.1.53.64.paf.exe

Everything is Ok

Size: 2430844
Compressed: 2429724

C:\Documents and Settings\Administrateur\Bureau>


And you have your flash player extracted:
Image

Image

In simple words you are paying again 3 SMS for nothing.
the flash player from adobe is free.
Last edited by EP_X0FF on Sun Feb 06, 2011 5:16 am, edited 1 time in total.
Reason: edit: resized images
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests