A forum for reverse engineering, OS internals and malware analysis 

Rogue Antimalware (FakeAV, 2010 year)

Forum for analysis and discussion about malware.
 Topic locked

Re: Rogue antimalware (FakeAV, FakeAlert)

 #1070  by egomoo
 Thu May 13, 2010 2:02 am
Image

desktop security 2010

it random select folder under %programfiles% to combine the infected fiels

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<MicrosoftHXVZUI><c:\program files\common files\microsoft shared\help\1028\hxdsuimicrosoft.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<clientshutdownStudio><c:\program files\common files\microsoft shared\corecon\1.0\target\wce400\mipsii\cmacceptstudio.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<MicrosoftFramework><c:\program files\microsoft visual studio 8\common7\ide\xml\2052\microsoftxmleditorui.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\]
<MsoEuroOffice11.0.5510><c:\program files\common files\microsoft shared\euro\microsoftoffice.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
<ModuleHideHelper><c:\program files\360\360se\plugin\hidehelper\modulehidehelper.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
<TortoiseSVNTortoiseOverlays><c:\program files\common files\tortoiseoverlays\tortoiseoverlaystortoisesvn.exe>

online scan result:
http://www.virustotal.com/analisis/7778 ... 1273664227
Attachments
(129.96 KiB) Downloaded 120 times

Re: Microsoft Security Essentials Clone

 #1071  by egomoo
 Thu May 13, 2010 2:13 am
a new one log

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]
<Userinit><c:\windows\system32\winlogon32.exe>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
<Shell><c:\windows\system32\pgsb.lto>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
<kulmgqqut><c:\windows\system32\kulmgqqut.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
<Security essentials 2010><c:\program files\securityessentials2010\se2010.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
<kulmgqqut><c:\documents and settings\administrator\kulmgqqut.exe>
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
<smss32.exe><c:\windows\system32\smss32.exe>
[system file infected or corrupted]
<system file infected or corrupted><C:\WINDOWS\System32\drivers\ndis.sys>

online scan :http://www.virustotal.com/zh-cn/analisi ... 1273702580
Attachments
(49.01 KiB) Downloaded 111 times

Antispyware Soft

 #1103  by wealllbe20
 Fri May 14, 2010 9:04 pm
Antispyware Soft

Image

since everybody else is posting this stuff.

Thsi malware is very similar to nop's on page 1.
it will only load if an internet connection is present.


this is not the hardest one to get rid of as it does not infect the .exe portion of the registry.

but every time you load any executable .com, .exe , scr it will tell you it's infected.

here are my notes from many months ago dealing in removing this stuff when it was everywhere.
Code: Select all
made user go to c:\windows\system32

taskmgr.exe was not found
taskkill.exe was not found
tasklist.exe was not found
user was displaying hidden files and protected operating system files

we did a start then run:

made user type in:
cmd /k copy c:\windows\system32\taskmgr.exe c:\explorer.exe
Error came up and it appeared to block the command but explorer.exe was copied to c:\
made user try to run taskmgr.exe as c:\explorer.exe it was blocked by malware.
I then made user try
to run the command
cmd /k copy c:\windows\system32\taskmgr.exe c:\iexplore.exe
malware appeared to block but file was displayed.
then were able to pull up taskmgr as c:\iexplore.exe
we killed many processes that were not needed or seemed to be malicious

after taking control of machine i found out the only processes that needed to be killed was xkiffaei.exe located in %userprofile%\local settings\temp

we then tried to go to google but failed.

we then unchecked a proxy server that was pointing to 127.0.0.1:5555

obviously some malware acting as a redirection proxy.

After unchecking proxy connection

was able to goto google.com and ultimately gotoassist.com
and took control of machine

ran runscanner it seemed to be only that 1 process.
took it out of autostart and deleted the underlying file.


as a note rundll32.exe was running so a possible rouge dll.

No rootkit was detected
via the newest version of gmer renamed a random filename.

restarted machine
then ran hitmanpro and it found 0 infections.
Attachments
Warning malware: password infected
(254.14 KiB) Downloaded 127 times
Last edited by EP_X0FF on Sat Apr 16, 2011 3:38 am, edited 1 time in total. Reason: Screenshot has been resized to be more accurate

Virus Protector

 #1140  by EP_X0FF
 Fri May 21, 2010 5:57 am
Virus Protector

Downloader
http://www.virustotal.com/analisis/ffb5 ... 1274420551

FakeAV itself
http://www.virustotal.com/analisis/f0c2 ... 1274420870

GUI
Image

You are sending SPAM!

Image

Payme dialog

Image

Danger
Image

Dropped to %systemroot%\system32 folder with random name (sample attached). Gives many alerts, popups etc.
Set itself to autorun via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

Funny string from the inside, including embedded list of detections.
f:\_work\VProtector\Release\promo.pdb

SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
WinDefend
DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr

gawab.com
fbi.gov
inbox.com
live.com
msn.com
hotmail.com
rocketmail.com
us.army.mil
mail.com
gmx.com
yahoo.com
gmail.com

Worm Attack
Smurf Attack
Storm botnet
Land Attack
DDOS attack
Trojan.Kreeper.588
Trojan.Bdsearch.103
Dialer.4562.355
Dialer.4706.387
Worm.Autoit.451
Trojan.PoisonIvy.227
Trojan.Dropper.Pykspa.355
Dialer.4633.2
Trojan.Bzub.381
Dialer.4710.436
Trojan.Obfus.193
Trojan.Hasik.559
Trojan.Downloader.Reipym.764
Trojan.Goldun.750
Dialer.4603.42
Trojan.Servu.29
Dialer.4677.215
Trojan.Alureon.315
Worm.Fujack.337
Worm.Waledac1.236
Dialer.4580.386
Trojan.Hasik.78
Dialer.4553.136
Trojan.Thous.13
Trojan.Gamecrack.1
Dialer.4660.437
Worm.Delf.710
Trojan.Rootkit.79
Exploit.SWF.168
Trojan.Hydraq.687
PwTool.Yahoo.SmartMasPass.295
Dialer.4617.346
Trojan.Spy.529
Dialer.4732.361
Trojan.Swizzor.718
Dialer.4704.156
Trojan.HackSrvany.120
Trojan.Hasik.670
Dialer.4641.111
Trojan.VanBot.815
Adware.Admoke.131
Trojan.Redvip.628
Trojan.Hdkill.839
Trojan.BHO.268
Trojan.Agent.Banker.672
Trojan.Thous.118
Worm.VB.762
Dialer.4697.578
Dialer.4621.426
Trojan.Spy.Gwghost.124
Worm.NetSky.669
Trojan.Conhook.757
Dialer.4737.659
Worm.Agent.664
Trojan.OSX.RSPlug.F.dmg.338
Worm.Joleee.202
Trojan.Dumador.474
Trojan.Bravix.105
Dialer.4653.258
Trojan.Patched.728
Trojan.Agent.228
Trojan.Winwebsec.812
Trojan.Stuh.76
Dialer.4642.373
Dialer.4630.468
W32.Sality.692
Trojan.Banker.664
W32.Lafon.104
Dialer.4556.347
Trojan.CDur.255
Trojan.Messah.321
Worm.Waledac1.3
Adware.FakeInstall.144
Trojan.WOW.149
Trojan.Vaklik.782
Hacktool.Crack.Megaupload.466
Attachments
FakeAV itself, pass: malware
(1.36 MiB) Downloaded 131 times
downloader, pass: malware
(51.33 KiB) Downloaded 92 times

Antivirus PC 2009

 #1152  by EP_X0FF
 Sun May 23, 2010 1:17 pm
Antivirus PC 2009

from xenophobia (russian script-kiddie)

VirusTotal
http://www.virustotal.com/analisis/a074 ... 1274620385

Used ClamAV engine
*** DON'T PANIC! Read http://www.clamav.net/support/faq ***
*** This version of the ClamAV engine is outdated. ***
*** Please update it as soon as possible. ***
*** The virus database is older than 7 days! ***
*** Please check the timezone and clock settings ***
*** Virus database timestamp in the future! ***

GUI

Image

Payme dialog

Image

Set itself to autorun via HKCU\Software\Microsoft\Windows\CurrentVersion\Run and
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys

as
cmd /C cd "C:\Program Files\Antivirus PC 2009" && start avpc2009.exe
d:\xenophobia\2\1\Release\avpc2009.pdb

Your computer is being attacked by an Internet Virus.
It could be a password-stealing attack, a trojan-dropped or similar.
Antivirus PC 2009
Antivirus PC 2009 Warning: Antivirus PC 2009 has detected harmful software in your system. It is strongly recommended to register Antivirus PC 2009 to remove these threats immediately. Click
to fix these errors.
Exit Antivirus PC 2009
Shell_TrayWnd
Signature bases are not up to date.
Please click "OK" to update it now, or click "Cancel" to update later.
support.html
Antivirus PC 2009
System Error
ClamAV Antivirus|GPL|Sourcefire Inc|Gianluigi Tiesi|<sherpya@netfarm.it>
URL inside binary
hxxp://antiviruspc-update.com:8080/
Attachments
pass: malware
(1.88 MiB) Downloaded 116 times

My Security Engine

 #1154  by EP_X0FF
 Sun May 23, 2010 4:29 pm
B-boy/StyLe/ wrote:My Security Engine

Regards,
G.
Seems to be the same as http://forum.sysinternals.com/fake-av-s ... 22033.html (also known as Live PC Guard and million of different names)

You uploaded just a downloader :D
Payload is cool. Written on Delphi (or whatever from CodeGear, yet another russian script-kiddie work).

http://www.virustotal.com/analisis/c149 ... 1274632111

GUI
Image
Image

Contains internal black list of antiviruses (SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)
SOFTWARE\Agnitum\Security Suite\
SOFTWARE\ComodoGroup\CDI\
SOFTWARE\AVG\
SOFTWARE\BitDefender\BitDefender Antivirus 2008\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E58B329B-FB28-4874-90DE-0D7CB2709267}\
SOFTWARE\Data Fellows\F-Secure\
SOFTWARE\KasperskyLab\
SOFTWARE\rising\Rav\
SOFTWARE\Sophos\SAVService\Application\
SOFTWARE\Symantec\Norton AntiVirus\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WebrootDesktopFirewall.exe\
SOFTWARE\Eset\Nod\
SOFTWARE\Zone Labs\ZoneAlarm\
SOFTWARE\ALWIL Software\Avast\
almost forgot..

run itself through HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key
drops itself (winxp) to Documents and Settings\All Users\Application Data\randomhexvalue hidden folder.
Attachments
pass: malware
(2.53 MiB) Downloaded 100 times

Windows Protector or XJR Antivirus

 #1160  by EP_X0FF
 Mon May 24, 2010 1:15 pm
Windows Protector or XJR Antivirus

Downloader VT
http://www.virustotal.com/analisis/8f6e ... 1274705855

FakeAV VT
http://www.virustotal.com/analisis/21fa ... 1274706179

Aggressive behavior - terminates starting applications as "infected".

GUI

Image

Detections

Image

Payme dialog

Image

Fake "Error Reporting" dialog

Image

Aggressive behavior makes some trouble with removal.
This fake av modifies registry HKEY_CLASSES_ROOT\exefileile type handler keys, making system unworkable after malware removal from Safe Mode.
However applying exported registry data from different computer or backup solving problem.
Both - downloader and fakeav itself are attached.
Attachments
FakeAV itself, pass: malware
(1.08 MiB) Downloaded 109 times
downloader, pass: malware
(52.85 KiB) Downloaded 87 times
Last edited by EP_X0FF on Sat Apr 16, 2011 3:43 am, edited 1 time in total. Reason: Screenshots has been resized to be more accurate
 Topic locked
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8
 Return to “Malware”