A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1267  by Jaxryley
 Fri Jun 11, 2010 6:05 am
Protection Center

Image
hxxp://scanner-programming.com:81/download.php?q=8a5352b31d85a47aff904528c976af86&affid=402&subid=landing
FakeAV - Mal/TDSSPack-Q - Result: 9/41 (21.96%)
http://www.virustotal.com/analisis/e2f5 ... 1276234178
FILE ADDED! C:\Documents and Settings\All Users\Favorites\_favdata.dat
FILE ADDED! C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.lnk
FILE ADDED! C:\Documents and Settings\Username\Desktop\Protection Center Support.lnk
FILE ADDED! C:\Documents and Settings\Username\Desktop\Protection Center.lnk
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\4otjesjty.mof
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\8017.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\ac2b.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\asd2.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\asd3.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\asd3.tmp.exe
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\b657.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\bc3f.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\c0bf.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\cnt.dat
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\cntr.dat
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\dhdhtrdhdrtr5y
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\kernel64xp.dll
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\mscdexnt.exe
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\PRAGMA152e.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\PRAGMA1ca7.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\TMP1967.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\tmp5220.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\tmp7E40.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\topwesitjh
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\wscsvc32.exe
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\Content.IE5\8DM3QHO7\402-direct[1].ex
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\Content.IE5\8DM3QHO7\readdatagateway[1].htm
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center <- dir
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\About.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Activate.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Buy.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Protection Center Support.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Protection Center.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Scan.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Settings.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Update.lnk
FILE ADDED! C:\Program Files\Protection Center <- dir
FILE ADDED! C:\Program Files\Protection Center\about.ico
FILE ADDED! C:\Program Files\Protection Center\activate.ico
FILE ADDED! C:\Program Files\Protection Center\buy.ico
FILE ADDED! C:\Program Files\Protection Center\cnt.db
FILE ADDED! C:\Program Files\Protection Center\cntext.dll
FILE ADDED! C:\Program Files\Protection Center\cnthook.dll
FILE ADDED! C:\Program Files\Protection Center\cntprot.exe
FILE ADDED! C:\Program Files\Protection Center\help.ico
FILE ADDED! C:\Program Files\Protection Center\scan.ico
FILE ADDED! C:\Program Files\Protection Center\settings.ico
FILE ADDED! C:\Program Files\Protection Center\splash.mp3
FILE ADDED! C:\Program Files\Protection Center\Uninstall.exe
FILE ADDED! C:\Program Files\Protection Center\update.ico
Attachments
(22.86 KiB) Downloaded 115 times
Last edited by EP_X0FF on Sat Apr 16, 2011 6:10 am, edited 2 times in total. Reason: merged from standalone topic
 #1270  by Jaxryley
 Fri Jun 11, 2010 9:43 pm
Sysinternals Antivirus

Image

PC_protect.exe - Result: 24/41 (58.54%)
http://www.virustotal.com/analisis/e664 ... 1276291685
FILE ADDED! C:\Documents and Settings\username\Desktop\Sysinternals Antivirus.lnk
FILE ADDED! C:\Documents and Settings\username\Local Settings\Temp\Perflib_Perfdata_5e8.dat
FILE ADDED! C:\Documents and Settings\username\Local Settings\Temp\win1.tmp
FILE ADDED! C:\Documents and Settings\username\Start Menu\Programs\Sysinternals Antivirus <- dir
FILE ADDED! C:\Documents and Settings\username\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk
FILE ADDED! C:\Program Files\adc_w32.dll
FILE ADDED! C:\Program Files\alggui.exe
FILE ADDED! C:\Program Files\skynet.dat
FILE ADDED! C:\Program Files\svchost.exe
FILE ADDED! C:\Program Files\Sysinternals Antivirus <- dir
FILE ADDED! C:\Program Files\Sysinternals Antivirus\Sysinternals Antivirus.exe
FILE ADDED! C:\Program Files\wp3.dat
FILE ADDED! C:\Program Files\wp4.dat
FILE ADDED! C:\WINDOWS\Prefetch\PC_PROTECT.EXE-07A7C79B.pf
FILE ADDED! C:\WINDOWS\Prefetch\SVCHOST.EXE-30F98231.pf
FILE ADDED! C:\WINDOWS\Prefetch\SYSINTERNALS ANTIVIRUS.EXE-25B10B06.pf
Attachments
Pass - infected
(1.06 MiB) Downloaded 107 times
Last edited by EP_X0FF on Sat Apr 16, 2011 6:11 am, edited 1 time in total. Reason: Screenshot has been resized to be more accurate
 #1275  by EP_X0FF
 Mon Jun 14, 2010 11:54 am
Security Master AV

Dropper VirScan
http://virscan.org/report/5ca9d050bb3a0 ... 354a6.html

FakeAV VirScan
http://virscan.org/report/7f39b43d47680 ... 2c759.html

Written on Delphi.

Known as Paladin Antivirus, Live PC, My Security Engine, Virus Doctor, Security Antivirus, Windows PC Defender and different names.

Constantly updating (repacking) and with renaming.

Drops from hxxp://www1.trytocleanit-45p.co.cc (fake av scanner page)

Image

Fake av keeps connections with the following IP's
93.190.139.212
91.207.192.25
93.190.139.215
217.23.5.57
74.55.47.101
GUI
Image

Payme dialog
Image

Detection dialog
Image

Signatures extracted from unpacked executable:
[Info]
Count=23
[Data]
SignName0=Trojan-IM.Win32.Faker.a
SignName1=Virus.Win32.Faker.a
SignName2=Trojan-PSW.BAT.Cunter
SignName3=Trojan-PSW.VBS.Half
SignName4=Trojan-PSW.Win32.Antigen.a
SignName5=Trojan-PSW.Win32.Delf.d
SignName6=Trojan-PSW.Win32.Dripper
SignName7=Trojan-PSW.Win32.Fantast
SignName8=Trojan-PSW.Win32.Hooker
SignName9=Trojan-SMS.J2ME.RedBrowser.a
SignName10=Trojan-Spy.Win32.WMPatch
SignName11=Trojan.BAT.AnitV.a
SignName12=Trojan-Spy.HTML.Bankfraud.ix
SignName13=Trojan-Spy.HTML.Bankfraud.ra
SignName14=Trojan-Spy.HTML.Bayfraud.hn
SignName15=Trojan-Spy.HTML.Citifraud
SignName16=Trojan-Spy.HTML.Sunfraud.a
SignName17=Trojan-Spy.HTML.Paypal.hn
SignName18=BAT.Looper
SignName19=Virus.BAT.Gray.705
SignName20=Virus.BAT.IBBM.ClsV
SignName21=Packed.Win32.PolyCrypt
SignName22=SpamTool.Win32.Delf.h
Contains
#pragma namespace("\\\\.\\root\\SecurityCenter")
#pragma deleteclass("AntiVirusProduct", NOFAIL)
#pragma deleteclass("FirewallProduct", NOFAIL)
and more interesting strings.

Autorun through HKCU\Software\Microsoft\Windows\CurrentVersion\Run key
Attachments
fake av itself, pass: malware
(2.23 MiB) Downloaded 121 times
dropper, pass: malware
(253.05 KiB) Downloaded 92 times
Last edited by EP_X0FF on Wed Jul 07, 2010 5:06 am, edited 1 time in total. Reason: removed long text dump
 #1439  by Jaxryley
 Wed Jul 07, 2010 4:52 am
AntivirusGT

Image

Image

AV7win_2004_b6.exe - Result: 17/41 (41.47%) - MD5...: bcfb3ea59868365cc52cce61548579c3
http://www.virustotal.com/analisis/04c2 ... 1278477391

AV7win_2004_b6_2_.exe - Result: 23/41 (56.1%) - MD5...: 960645c1d268e8de400c1ec4da7fcb4e
http://www.virustotal.com/analisis/57dd ... 1278477628

BSA:
Detailed report of suspicious malware actions:

Created process: (null),"C:\Program Files\Sandboxie\SandboxieRpcSs.exe",(null)
Created process: (null),C:\Program Files\AVGT\antivirusGT.exe ,(null)
Created process: C:\Windows\system32\cmd.exe,"C:\Windows\system32\cmd.exe" /c del C:\Users\ADMINI~1\Desktop\AV7WIN~1.EXE > nul,C:\Users\Administrator\Desktop
Defined file type created: C:\Program Files\AVGT\antivirusGT.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\MicrosoftExtensions.dll
Defined file type created: C:\Users\Administrator\AppData\Desktop\AV7win_2004_b6.exe
Defined file type modified or overwritten: C:\Program Files\Mozilla Firefox\greprefs\all.js
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = \??\C:\Program Files\AVGT\..ORSF0W\??\C:\Program Files\AVGT\...6PAXFH\??\C:\Users\Administrator\AppData\Local\Temp\MicrosoftExtensions.dll.IVAGEA
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\AVGT = C:\Program Files\AVGT\antivirusGT.exe
Detected backdoor listening on port: 0
Detected keylogger functionality
Detected process privilege elevation
Enumerated running processes
Internet connection: C:\Users\Administrator\Desktop\AV7win_2004_b6.exe Connects to "62.122.75.137" on port 80 (TCP - HTTP).
Internet connection: C:\Users\Administrator\Desktop\AV7win_2004_b6.exe Connects to "83.133.120.94" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: Csc
Opened a service named: CscService
Opened a service named: rasman
Opened a service named: Sens
Query DNS: adobe.com
Query DNS: downloadcentertoday.com
Query DNS: oddfunctions.com
Query DNS: adobe.com

Risk evaluation result: High
Attachments
Pass:
infected

(306.64 KiB) Downloaded 120 times
Last edited by EP_X0FF on Sat Apr 16, 2011 6:15 am, edited 1 time in total. Reason: Screenshots has been resized to be more accurate
 #1531  by Jaxryley
 Thu Jul 15, 2010 1:46 am
Antivir Solution Pro

Image

Dropped by a microjoin exploit.

New Antivirus Soft clone - xdtwuuutssd.exe - 6/41 - MD5 : aa2d1a6ad9110e8ec67217f8eaa1bbb4
http://www.virustotal.com/analisis/22e7 ... 1279155628
FILE ADDED! C:\Documents and Settings\USERNAME\Local Settings\History\History.IE5\MSHist012010071520100716 <- dir
FILE ADDED! C:\Documents and Settings\USERNAME\Local Settings\History\History.IE5\MSHist012010071520100716\index.dat
REG ADDED! HKLM SOFTWARE\AVSolution
REG ADDED! HKLM SOFTWARE\AVSuitE
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSuitE
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\PhishingFilter
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716
REG ADDED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:MKMB1caLYCvaYvwI37gmWMr69uszZMBRAj2bjdmPtE/zmo4HY8AlosH/X6ovlsh59mkyWjOtO1n8d00lKx54N4IADMPaJkrlp0IMCKvs/TM=
REG ADDED! HKLM SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\ControlSet001\Services\kmixer\Enum 0 "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
REG ADDED! HKLM SYSTEM\ControlSet001\Services\kmixer\Enum Count int:1
REG ADDED! HKLM SYSTEM\ControlSet001\Services\kmixer\Enum NextInstance int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Services\kmixer\Enum 0 "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
REG ADDED! HKLM SYSTEM\CurrentControlSet\Services\kmixer\Enum Count int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Services\kmixer\Enum NextInstance int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\SessionInformation ProgramCount int:2
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution aazalirt int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution dkekkrkska int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution dkewiizkjdks int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution id "75.3"
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution iddqdops int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ienotas int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution iqmcnoeqz int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution irprokwks int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jikglond int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jiklagka int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jrjakdsd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jungertab int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution kitiiwhaas int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution kkwknrbsggeg int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution klopnidret int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution knkd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krkdkdkee int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krkmahejdk int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krtawefg int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krujmmwlrra int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ktknamwerr int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution kuruhccdsdd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ooorjaas int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution oranerkka int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution oropbbsee int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution otnnbektre int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution otowjdseww int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution otpeppggq int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ready int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution rkaskssd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ronitfst int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution salrtybek int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution seeukluba int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution skaaanret int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution tobmygers int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution tobykke int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution zibaglertz int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\PhishingFilter Enabled int:0
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 int:0
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU bin:OwAAADECAADAtkHfOiTLAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Ira\Qrfxgbc\kqgjhhhgffq.rkr bin:OwAAAAYAAADAtkHfOiTLAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_HVFPHG bin:OwAAAMoAAADgIj3fOiTLAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyOverride "<local>"
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer "http=127.0.0.1:5643"
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CacheLimit int:8192
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CacheOptions int:11
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CachePath exp:%USERPROFILE%\Local Settings\History\History.IE5\MSHist012010071520100716\
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CachePrefix ":2010071520100716: "
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CacheRepair int:0
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings bin:PAAAAAMAAAADAAAAEwAAAGh0dHA9MTI3LjAuMC4xOjU2NDMHAAAAPGxvY2FsPgAAAAAEAAAAAAAAAKBqdVYVWcgBAQAAAMCoAWsAAAAAAAAAAA==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings bin:PAAAAEAAAAADAAAAEwAAAGh0dHA9MTI3LjAuMC4xOjU2NDMHAAAAPGxvY2FsPgAAAAAEAAAAAAAAAKBqdVYVWcgBAQAAAMCoAWsAAAAAAAAAAA==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Documents and Settings\USERNAME\Desktop\xdtwuuutssd.exe "xdtwuuutssd"
Attachments
Pass:
infected

(267.06 KiB) Downloaded 126 times
Last edited by EP_X0FF on Sat Apr 16, 2011 6:18 am, edited 1 time in total. Reason: Screenshot has been resized to be more accurate
 #1699  by Jaxryley
 Fri Jul 30, 2010 1:12 pm
Been playing around with this exe killing rouge and found that if I stop/disable the "Windows Management Instrumentation" service and install the rogue "Antivir Solution Pro" then it doesn't seem to be able to kill any exes at all ?

Tested on an XP and Win 7 VM.
 #1700  by EP_X0FF
 Fri Jul 30, 2010 2:00 pm
Hi,

do you have a sample?

Probably all killing based on WMI requests.

Regards.
 #1704  by Jaxryley
 Fri Jul 30, 2010 3:13 pm
You can use the sample from the last post in the "Rogue antimalware (FakeAV, FakeAlert)" thread.

You may have to wait a few minutes for the rogue's gui to show up after executing.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 8