A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #390  by EP_X0FF
 Mon Mar 22, 2010 2:56 pm
Special class of malicious software represented mostly by scareware.
Including fake antiviruses, anti spywares, antikeyloggers etc

Also may include additional malware at board, or downloading more stuff from internet, just acting like trivial trojan downloader or trojan multiple dropper.
Some fake av's downloaded with TDL3 rootkit for example or downloading it.

This class of malicious programs mostly written on Delphi (but listed below is exception).
They have quickly made GUI with a lot of graphics. Sometimes they even looking very good (Internet Security/Security essentials 2010 trojan).

While installation period they set itself to load with Windows usually via common registry keys. Sometimes rogue antimalware are trying to terminate
all running in background processes (excluding system processes of course) to avoid detection and removal.

All of them has inside few hardcoded detections (virus names, their fiction description) that user must to watch. And all of them asking for your money to be "activated", "updated" etc.

PCDefender from Misha
(Misha is author name, string found inside executables -> C:\Users\Misha\Documents\Visual Studio 2010\Projects\Antispyware\Release\Antispyware.pdb)

VirusTotal
http://www.virustotal.com/analisis/5ae5 ... 1269269107

Keep additional process loaded proccheck.exe. It is playing role of watcher to resurrect main process of fake av if it will be terminated.

Set itself to autorun through
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Funny screenshots with this rogue.

GUI with detections of course

Image

Viruses found!

Image

Removal is trivial. Suspend proccheck.exe, terminate main executable and then terminate proccheck.exe, cleanup registry entry and remove files from disk.
Next perform full system scan with few antiviruses.

If you have more rogues with analysis you have made - feel free to post it here ;)

Sample attached.

MD5
e4d4a59494265949993e26dee7b077d1

SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163
Attachments
pass: malware
(838.13 KiB) Downloaded 466 times
 #391  by fatdcuk
 Mon Mar 22, 2010 3:48 pm
Hi all,

LMK if you want me to post new rogue samples to these forums ?

Most recent(5 days old) from Virus Doctor family= "Security Guard"

Attached is the installer
http://www.virustotal.com/analisis/4b68 ... 1269193777

I have core MZ which doubles as an installer should the downloader not be connecting.However it is to big to attach(Can ya bump max uploads up 4-5MB ?)

Enjoy :)
Attachments
(153.38 KiB) Downloaded 236 times
 #398  by EP_X0FF
 Tue Mar 23, 2010 5:31 am
Hi Ade,

thanks for the sample :)

There few interesting string inside this binary if somebody interested.

Formerly known as Windows PC Defender, Security Antivirus, Virus Doctor, Live PC Guard.
D:\Work\AdwareProjects\DeskTopWork\Cleaners\VirusDoctor
/F /IM
REMOVE
FINISHED PREPARE FOR EXIT
UNINSTALL
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%s %s%d
Root
SOFTWARE\4\
SOFTWARE\3\
SOFTWARE\Zone Labs\ZoneAlarm\
SOFTWARE\Eset\Nod\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WebrootDesktopFirewall.exe\
SOFTWARE\Symantec\Norton AntiVirus\
SOFTWARE\Sophos\SAVService\Application\
SOFTWARE\rising\Rav\
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\
SOFTWARE\Data Fellows\F-Secure\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E58B329B-FB28-4874-90DE-0D7CB2709267}\
SOFTWARE\BitDefender\BitDefender Antivirus 2008\
SOFTWARE\AVG\
SOFTWARE\ComodoGroup\CDI\
SOFTWARE\Agnitum\Security Suite\
PsImSvc.exe;pavprsrv.exe;PavFnSvr.exe;avciman.exe;AVENGINE.EXE;pavsrv51.exe;PskSvc.exe;
TPSrv.exe;WebProxy.exe;PsCtrls.exe;ekrn.exe;egui.exe;McSACore.exe;mcmscsvc.exe;mcnasvc.exe;mcproxy.exe;
mcsysmon.exe;MPFSrv.exe;mcshell.exe;AluSchedulerSvc.exe;ccSvcHst.exe;symlcsvc.exe;ccSvcHst.exe;sched.exe;
avcenter.exe;avgtray.exe;avgemc.exe;avgui.exe;bdmcon.exe;bdagent.exe;ashDisp.exe;AAWTray.exe;Ad-Aware.exe;MSASCui.exe;_avp32.exe;_avpcc.exe;_avpm.exe;aAvgApi.exe;ackwin32.exe;adaware.exe;advxdwin.exe;
agentsvr.exe;agentw.exe;alertsvc.exe;alevir.exe;alogserv.exe;amon9x.exe;anti-trojan.exe;antivirus.exe;ants.exe;apimonitor.exe;
aplica32.exe;apvxdwin.exe;arr.exe;atcon.exe;atguard.exe;atro55en.exe;
atupdater.exe;atwatch.exe;au.exe;aupdate.exe;auto-protect.nav80try.exe;autodown.exe;autotrace.exe;autoupdate.exe;avconsol.exe;ave32.exe;avgcc32.exe;avgctrl.exe;avgnt.exe;
avgrsx.exe;avgserv.exe;avgserv9.exe;avguard.exe;avgw.exe;avkpop.exe;avkserv.exe;avkservice.exe;avkwctl9.exe;avltmain.exe;avnt.exe;avp.exe;avp32.exe;avpcc.exe;avpdos
a.exe;b.exe;c.exe;d.exe;
GET
Mozilla/5.0 (Windows; U; Windows NT 5.1; en;)
.tmp
firefox.exe
\sessionstore.js
/F /IM firefox* /IM mozi*
http://
&getsize=1
HEAD
%s?controller=microinstaller&abbr=%s&setupType=%s&ttl=%s&pid=%s
%s?controller=microinstaller&abbr=%s&setupType=%s&pid=%s
SELECT id,target,state,autoresume FROM moz_downloads WHERE source="
" WHERE id=
UPDATE moz_downloads SET autoResume=1,target="
vector<T> too long
\Main
CurrentVersion
SOFTWARE\Mozilla\Mozilla Firefox
Install Directory
sqlite3_close
sqlite3_finalize
sqlite3_column_text
sqlite3_column_int
sqlite3_step
sqlite3_prepare
sqlite3_open
\sqlite3.dll
,"application/octet-stream"
VALUES (
(name,source,target,tempPath,state,entityID,currBytes,maxBytes,mimeType,preferredApplication,preferredAction,autoResume)
INSERT INTO moz_downloads
SELECT id,state,currBytes,autoresume FROM moz_downloads WHERE source="
default
file:///
DELETE FROM moz_downloads WHERE source="
Default
Path
Profile
\Mozilla\Firefox\profiles.ini
Reviewed before here

Regards.
Last edited by EP_X0FF on Thu Dec 22, 2011 12:11 pm, edited 1 time in total. Reason: merged my several posts in one
 #406  by fatdcuk
 Tue Mar 23, 2010 4:29 pm
Inernet AntiVrus family clone-

Should be a rooter bundled with this install ;)
Code: Select all
http://softwareprivacy.biz/install/downloadInstaller_vtYUPIVO.php
http://89.149.253.191/install/LES_xp.exe
http://www.virustotal.com/analisis/e5fd ... 1269319987

Have fun :)
Attachments
(39.96 KiB) Downloaded 180 times
 #412  by EP_X0FF
 Wed Mar 24, 2010 9:00 am
Hi Ade,

thanks for sample!

It is packed with UPX.
Probably russian origin, because of strings found in unpacked executable.
Live Enterprise Suite
D6_IPSEC
/verysilent /norestart /NOCANCEL /DIR="c:\program files\Live Enterprise Suite" /password="les"
update
MICROINSTALLER
exe
Unpacked VT result
http://www.virustotal.com/analisis/0962 ... 1269420279

Downloading stuff string
http://%s/install/reg.php?pc_id=%d&action=%d&type=%s&os=%s&abbr=%s&uid=%d&sid=%d&admin=%d
Regards.
 #532  by EP_X0FF
 Fri Apr 02, 2010 6:21 pm
Control Center

Written on CodeGear RAD Studio Delphi (v12.0.3170.16989)

Drops itself to X:\documents and settings\<user>\application data\control components\

Set itself to autostart through
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
as Shell component

and (ccagent.exe)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

VirusTotal
http://www.virustotal.com/analisis/ff40 ... 1270231669

GUI
Image

Money for honey dialog
Image

hint: contains workable uninstaller :)
Attachments
pass: malware
(1.86 MiB) Downloaded 637 times
 #661  by EP_X0FF
 Mon Apr 12, 2010 1:34 am
Antimalware Doctor

VirusTotal
http://www.virustotal.com/analisis/d494 ... 1271035961

Main window with embedded detections.

Image

Security status.

Image

Activation dialog.

Image

Set itself for autorun through HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.
Can't be closed with it's own "Close" menu.
Attachments
pass: malware
(892.67 KiB) Downloaded 246 times
 #662  by EP_X0FF
 Mon Apr 12, 2010 1:49 am
Xp Defender

Drops itself to X:\Documents and Settings\<UserName>\Application Data folder.
(where X is system disk letter).

VirusTotal
http://www.virustotal.com/analisis/869e ... 1271036582

Main Window with embedded detections.
Image

Warning dialog.
Image

Warning 2.
Image

Example of detections (very funny)
Image
Attachments
pass: malware
(152.81 KiB) Downloaded 238 times
 #672  by fatdcuk
 Mon Apr 12, 2010 8:07 pm
PaladinAV/AntimalwareDoctor Clone with TDSS in on one of the droppers

They really dont like my hometeam...I wonder why,maybe conflict = we will BBQ you everytime :P

Image

Have fun :P
Attachments
(234.72 KiB) Downloaded 193 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8