Rogue Antimalware (FakeAV, 2011 year) - Page 3

Topic locked

AVG Antivirus 2011

#4833 by Xylitol
Mon Jan 31, 2011 8:45 pm

AVG Antivirus 2011

Fake AVG

https://www.virustotal.com/file-scan/re ... 1296506326
http://www.virustotal.com/file-scan/rep ... 1296506331
https://www.virustotal.com/file-scan/re ... 1296506334

kg:

Code: Select all

.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start

rc

Code: Select all

;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake AVG Keygen"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END

Attachments

Fake.AVG.Keygen.zip

Keygen for fake avg
(223.65 KiB) Downloaded 105 times

FakeAVG.zip

See archive comment for password
(3.24 MiB) Downloaded 150 times

Last edited by EP_X0FF on Sat Apr 16, 2011 7:11 am, edited 1 time in total. Reason: Screenshot resized to be more accurate

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Antivirus .NET

#4834 by kiskav
Tue Feb 01, 2011 2:02 am

Antivirus .NET

This is a Newish Rogueware comes from the Family of Antivirus Scan, Antivirus System pro, etc . Can anyone help me with some info around this Rogueware. Like, From Which country its originated ? Packer ? etc

This Hijacks Browsers through proxy And blocks many Executable files. Still, any tool renamed as iexplore.exe works like a charm. Though this family is worthy to discuss, i dont find any info/discussion around this family. It would be great if any share the info on this piece of Malware.

Thanks & Regards,
Kiskav

Attachments

abcdsjmo.zip

(310.92 KiB) Downloaded 106 times

Last edited by EP_X0FF on Sat Apr 16, 2011 7:13 am, edited 1 time in total. Reason: Screenshot resized to be more accurate

Username

kiskav

Posts

19

Joined

Mon Aug 23, 2010 12:07 am

McAVG 2011

#4859 by gigaz
Thu Feb 03, 2011 9:22 am

McAVG 2011

http://www.virustotal.com/file-scan/rep ... 1296589459

File uploaded to mediafire (13MB):
[url]hxxp://www.mediafire.com/?0upwcas9tymjze4[/url]

Last edited by EP_X0FF on Sat Apr 16, 2011 7:12 am, edited 1 time in total. Reason: Screenshot resized to be more accurate

Username

gigaz

Posts

14

Joined

Sat Aug 14, 2010 10:57 am

Windows Problem Protector

#4862 by Meriadoc
Thu Feb 03, 2011 3:02 pm

Windows Problem Protector

http://www.virustotal.com/file-scan/rep ... 1296743632

Attachments

freescanner.rar

pass=malware
(2.23 MiB) Downloaded 120 times

Last edited by EP_X0FF on Sat Apr 16, 2011 7:14 am, edited 1 time in total. Reason: Screenshot resized to be more accurate

Who controls the past controls the future
Who controls the present controls the past

Username

Meriadoc

Posts

195

Joined

Sat Mar 13, 2010 7:36 pm

Location

Cymru

Re: Rogue antimalware (FakeAV, FakeAlert)

#4877 by Meriadoc
Fri Feb 04, 2011 11:29 am

gigaz wrote:McAVG

http://www.virustotal.com/file-scan/rep ... 1296589459

File uploaded to mediafire (13MB):
[url]hxxp://www.mediafire.com/?0upwcas9tymjze4[/url]

hxxp://www.spycheck.co.uk/

Who controls the past controls the future
Who controls the present controls the past

Username

Meriadoc

Posts

195

Joined

Sat Mar 13, 2010 7:36 pm

Location

Cymru

Re: Rogue antimalware (FakeAV, FakeAlert)

#4917 by Xylitol
Sun Feb 06, 2011 7:12 pm

Meriadoc wrote:Windows Problem Protector
http://www.virustotal.com/file-scan/rep ... 1296743632

New loc: hXXp://componentsprotector.com/scan4/107/freesystemscan.exe

Windows Problems Protector patcher

Code: Select all

.486 ;Only 2,50 Kb :þ
.model flat,stdcall
option casemap:none

include windows.inc

uselib  MACRO   libname
    include     libname.inc
    includelib  libname.lib
ENDM

uselib  user32
uselib  kernel32

rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD

.data
Titre       db "Windows Problems Protector patch", 0
PasTrouver  db "There is no thread called",13,10,"help",0
Trouver     db "Full of win",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName  db "help",0

;====== Patching
AddressToPatch1 dd 0411288h ;0x0411288
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00411025 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 04112D4h ;0x04112D4
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 004115DD
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 04112DDh ;0x04112DD
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 004115DD
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 04112EAh ;0x04112EA
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0411333h ;0x0411333
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 0041133A
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0411338h ;0x0411338
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00411381 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed

.data?
PID         dd ?

.code
  start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
            invoke FindWindow, NULL, offset szFileName
            .If eax != NULL
                mov ebx, eax
                Invoke GetWindowThreadProcessId, ebx, offset PID
                Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
                mov ebx, eax
                            Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL 
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL 
                           
                        Invoke CloseHandle, ebx
                        invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
            .else
                invoke Beep,100,30 ;lol
                invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
            .endif
                invoke ExitProcess,0
rogue endp
  end start