[PX5]

Antivirus Action



First I see this was about a month ago, not sure how long its really been around.

http://www.virustotal.com/file-scan/rep ... 1288860137

[LeastPrivilege]

http://web-case.tk/avinspector.exe

Security Inspector 2010

[SecConnex]

Lol. http://securityinspector2010.com/

[Meriadoc]

SmartEngine

SmartEngine is similar to My Security Shield and is from the VirusDoctor family of rouges.

Same ole, the rouge installs dropping files* then detecting them as threats trying to extort money for removal while goading the user by generating a lot of fake system alerts. It also hijacks startpage with hxxp://findgala.com and disable the security center alerts,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter)

*
%UserProfile%\Recent\ANTIGEN.dll
%UserProfile%\Recent\ANTIGEN.drv
%UserProfile%\Recent\cid.tmp
%UserProfile%\Recent\CLSV.exe
%UserProfile%\Recent\CLSV.sys
%UserProfile%\Recent\DBOLE.drv
%UserProfile%\Recent\delfile.sys
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\exec.exe
%UserProfile%\Recent\fan.drv
%UserProfile%\Recent\kernel32.dll
%UserProfile%\Recent\pal.exe
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\ppal.drv
%UserProfile%\Recent\tempdoc.tmp



These were the only files I could glean as it wasn't my machine.
http://www.virustotal.com/file-scan/rep ... 1289826865
http://www.virustotal.com/file-scan/rep ... 1289827402

Interesting at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options turned up over 700 entries to disallow items from working including quite a few old relics for example 'Atguard' and from the screen 'Trojan Defense Suite 2' for 98 and NT and 3 discontinued by DiamondCS for the HIPS 'ProcessGuard' but not only antimalware but other rouges :)

[EP_X0FF]

Themida
lol

[Meriadoc]

yeah that's kinda funny :)

[EP_X0FF]

Yes, there huge black list inside, even named BLOCKLIST_RES
Antivirus paths retrieved from registry.

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

msseces.exe
MSASCui.exe
ekrn.exe
egui.exe
avgnt.exe
avcenter.exe
avscan.exe
avgfrw.exe
avgui.exe
avgtray.exe
avgscanx.exe
avgcfgex.exe
avgemc.exe
avgchsvx.exe
avgcmgr.exe
avgwdsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus
Avira AntiVir Guard
avgsys
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
winss.exe
WinSSUI.exe
OcHealthMon.exe
winssnotify.exe
MsMpEng.exe
msfwsvc.exe
SOFTWARE\Agnitum\Security Suite\
SOFTWARE\ComodoGroup\CDI\
SOFTWARE\AVG\
SOFTWARE\BitDefender\BitDefender Antivirus 2008\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E58B329B-FB28-4874-90DE-0D7CB2709267}\
SOFTWARE\Data Fellows\F-Secure\
SOFTWARE\KasperskyLab\
SOFTWARE\rising\Rav\
SOFTWARE\Sophos\SAVService\Application\
SOFTWARE\Symantec\Norton AntiVirus\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WebrootDesktopFirewall.exe\
SOFTWARE\Eset\Nod\
SOFTWARE\Zone Labs\ZoneAlarm\
SOFTWARE\ALWIL Software\Avast\

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"ConsentPromptBehaviorUser"=dword:0
"EnableLUA"=dword:0

wmic.exe /NameSpace:\\Root\SecurityCenter Path AntiVirusProduct Get CompanyName, DisplayName, VersionNumber, productUpToDate /value
wmic.exe /NameSpace:\\Root\SecurityCenter Path FireWallProduct Get CompanyName, DisplayName, VersionNumber /value

And more funny strings including hardcoded detections and their descriptions.

[Meriadoc]

AntiVirus Studio 2010

Thanks for moving.

Is Rouge.AntiVirus Studio 2010 in the list, (I did do a search) comes from the same family as Desktop Security 2010.


Sample drops a lot of trash in temp folder that seem to be damaged and used for 'detections'





User was sent a pm at a social networking site with a link to a video. Clicking on the page give you the download named aptly divxplayer.

hxxp://yourtube.webexploring.com/video2/video.php?q=210591



Tries hard for your cash,



After reboot screen goes dark like secure mode with warnings,





purchase page,

[EP_X0FF]

MalwareRemovalBot

Fraudware.



Dropper
http://www.virustotal.com/file-scan/rep ... 1292236942

Executable
http://www.virustotal.com/file-scan/rep ... 1292236612

Even contains own malware database used to fool victims.

Workable uninstaller included.

[EP_X0FF]

AntiMalware Pro

Typical FakeAV with psychedelic images of authors inside.
Very buggy Delphi stuff, resulting in exception at program start (one of it's threads terminates).

GUI



"Features"



Psychedelic art



VT Results

Installer
http://www.virustotal.com/file-scan/rep ... 1292240938

Dropped files
http://www.virustotal.com/file-scan/rep ... 1292240224
http://www.virustotal.com/file-scan/rep ... 1292241167

Workable uninstaller included.

Fakeav installer in attach.