A forum for reverse engineering, OS internals and malware analysis 

Infected FakeAV

Forum for analysis and discussion about malware.

Infected FakeAV

 #11023  by Cody Johnston
 Sat Jan 14, 2012 3:55 am
New sample of 2012 rogue

VT shows as parite

SHA256: 6560a915088d6f9833f2ae3c533e77373902759f7c581fc4925f6f05e87f6108
SHA1: f380c7fd9afe826cdc4c0e3d7dd58685b51ce0be
MD5: 981c0d16eef0b35259ee8232cdc90b1c
File size: 453.0 KB ( 463824 bytes )
File type: Win32 EXE
Detection ratio: 36 / 41
Analysis date: 2012-01-14 03:14:01 UTC ( 34 minutes ago )


https://www.virustotal.com/file/6560a91 ... /analysis/

Also does not accept kill code :x

http://imgur.com/L63bz
Attachments
Password: infected
(372.89 KiB) Downloaded 77 times

Re: Rogue antimalware (FakeAV, FakeAlert)

 #11064  by Ramtadryla
 Mon Jan 16, 2012 4:27 pm
TeamRocketOps wrote:New sample of 2012 rogue

VT shows as parite

SHA256: 6560a915088d6f9833f2ae3c533e77373902759f7c581fc4925f6f05e87f6108
SHA1: f380c7fd9afe826cdc4c0e3d7dd58685b51ce0be
MD5: 981c0d16eef0b35259ee8232cdc90b1c
File size: 453.0 KB ( 463824 bytes )
File type: Win32 EXE
Detection ratio: 36 / 41
Analysis date: 2012-01-14 03:14:01 UTC ( 34 minutes ago )


https://www.virustotal.com/file/6560a91 ... /analysis/

Also does not accept kill code :x

http://imgur.com/L63bz
Thats weird. It comes not only as fake av, but with Win32/Parite polymorphic virus. As I tested, when executed this file infects lots of .exe files on local, removable drives and mapped network drives. And if someone executes that Win32/Parite infected file on the network or from removable drive, also gets one of 2012 rogue variants. New way of spreading?

When I removed Win32/Parite virus from this file, detection ratio is much worse

https://www.virustotal.com/file/e8d2e42 ... /analysis/

Re: Rogue antimalware (FakeAV, FakeAlert)

 #11082  by rkhunter
 Tue Jan 17, 2012 7:02 am
Ramtadryla wrote: Thats weird. It comes not only as fake av, but with Win32/Parite polymorphic virus. As I tested, when executed this file infects lots of .exe files on local, removable drives and mapped network drives. And if someone executes that Win32/Parite infected file on the network or from removable drive, also gets one of 2012 rogue variants. New way of spreading?

When I removed Win32/Parite virus from this file, detection ratio is much worse

https://www.virustotal.com/file/e8d2e42 ... /analysis/
Can you attach this Parite sample?

Re: Rogue antimalware (FakeAV, FakeAlert)

 #11084  by Ramtadryla
 Tue Jan 17, 2012 9:02 am
rkhunter wrote:
Ramtadryla wrote: Thats weird. It comes not only as fake av, but with Win32/Parite polymorphic virus. As I tested, when executed this file infects lots of .exe files on local, removable drives and mapped network drives. And if someone executes that Win32/Parite infected file on the network or from removable drive, also gets one of 2012 rogue variants. New way of spreading?

When I removed Win32/Parite virus from this file, detection ratio is much worse

https://www.virustotal.com/file/e8d2e42 ... /analysis/
Can you attach this Parite sample?
It was already attached in this thread on Sat Jan 14, 2012 3:55 am, by TeamRocketOps as new version of FakeRean. I just noticed, that it comes with Parite virus.
Weird is that if it infects pc, after reboot it becomes unusable if Parite is not cleaned. You can't click anything, but desktop and all icons are visible.

Re: Rogue antimalware (FakeAV, FakeAlert)

 #11085  by EP_X0FF
 Tue Jan 17, 2012 9:48 am
Ramtadryla wrote:It was already attached in this thread on Sat Jan 14, 2012 3:55 am, by TeamRocketOps as new version of FakeRean. I just noticed, that it comes with Parite virus.
Weird is that if it infects pc, after reboot it becomes unusable if Parite is not cleaned. You can't click anything, but desktop and all icons are visible.
Probably he is asking for
And if someone executes that Win32/Parite infected file on the network or from removable drive, also gets one of 2012 rogue variants. New way of spreading?
Sample of infected file with embedded FakeAV, because this way of spreading has no sense, because Parite is well detected. We have not so many options are left - all of them are actually bad. First bad for malware distributors, because their machine infected with polymorphic virus. If not, then we have a bad news for TeamRocketOps, his machine is probably infected with active Parite.

Re: Rogue antimalware (FakeAV, FakeAlert)

 #11086  by rkhunter
 Tue Jan 17, 2012 9:54 am
I think there two possible way: 1) infected file - is a downloader of FakeRean 2) infected file with embedded FakeAV, as EP_X0FF said. In any case would interesting look to infected file.

Re: Infected FakeAV

 #11092  by onthar
 Tue Jan 17, 2012 5:07 pm
Maybe it's sample of new way to spread bot's and trojans, that was posted some time ago on russian underground boards?
Injecting trojan binary into worm/infector, that will spread and infect machines with both of malwares.
hxxp://exploit.in/forum/index.php?showtopic=44180

Re: Infected FakeAV

 #11096  by Cody Johnston
 Tue Jan 17, 2012 7:19 pm
It is very hard to tell for me. I work in a call center so this sample was taken from a customer's infected PC, not in a test environment. EP may very well be correct that the machine was previously infected with the parite worm. I will gather a few more samples for analysis as I see them come across my desk to give a bit more insight as to what the droppers are looking like. I see easily 50 of these infections a day so I'll have a better answer tomorrow when I go back to work. :D
 Return to “Malware”