Rogue Antimalware (FakeAV, 2014 year)

Forum for analysis and discussion about malware.
maddy
Posts: 15
Joined: Sat Sep 01, 2012 12:49 pm

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by maddy » Tue Feb 11, 2014 3:43 am

Hey,

look this fake Microsoft Security Essentials,
Dropped in %AppData%

Protector-ogxv.exe
Protector-htre.exe
Protector-ouuh.exe
Protector-cwnr.exe

guard-nrbt.exe
guard-htnd.exe
guard-ilud.exe
guard-fmrt.exe

proto-ortd.exe
proto-bles.exe
proto-godd.exe
proto-plop.exe

safe-dnfg.exe
safe-werj.exe

protectkonm.exe
protectbdlt.exe
protectbqpo.exe

svc-hmds.exe
svc-mdqs.exe

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Windows Antivirus Booster

Post by bitstechs » Tue Mar 04, 2014 7:32 pm

You do not have the required permissions to view the files attached to this post.

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by bitstechs » Fri Mar 07, 2014 1:46 am

Anyone else have the latest variants of this virus? I'm trying to hunt for them but it's rough. Malwarebyte's forums has tons, but I've yet to get invited into their malware hunter group.

Ormu
Posts: 8
Joined: Sat Oct 15, 2011 5:01 pm

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by Ormu » Thu Mar 13, 2014 6:41 pm

Cody Johnston wrote:
dairu87 wrote:It also dumps around 10-12 randomly named .exe's into the syswow64 directory.
Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)
Ok, this is probably a different one but I remember some fake-AVs that create dozens or hunderds of small (empty?) .exe files in the system directories to be used as their "targets". They were named like those identification names used by real AVs, such as "W32.Trojan873426.exe" so when the victim sees them he thinks they are real. I think "SoftSoldier" was one of the fake AV programs that did this.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by thisisu » Sat Mar 22, 2014 8:03 pm

Credits to BornSlippy for posting these on MBAM forums. Just wanted to share with others that want to experiment as well. ;)

Password is infected
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by thisisu » Sat Mar 22, 2014 8:09 pm

.. continued from http://www.kernelmode.info/forum/postin ... 04#pr22523

All from the month of March. All FakeVimes.
You do not have the required permissions to view the files attached to this post.

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by bitstechs » Sat Apr 05, 2014 7:02 pm

Thanks Thisisu!

Keep them coming from the malwarebytes forum if you can, I'm still trying to gain some access.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by thisisu » Mon Apr 07, 2014 3:06 am

Credits to BornSlippy of MBAM for finding and posting these

The .ico of Windows Internet Watchdog:
Image

pass is infected
You do not have the required permissions to view the files attached to this post.

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by bitstechs » Thu Apr 10, 2014 7:39 pm

Windows Internet Guard

Pulled from a computer today

VT Detection Ratio: 29/51
https://www.virustotal.com/en/file/1faa ... 397158271/

Image
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by thisisu » Sun Apr 20, 2014 12:11 am

Cool :)
Another Windows Internet Guard credits to BornSlippy @ MBAM
pass: infected
https://www.virustotal.com/en/file/fe29 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Locked