[Xylitol]

remark start

2010 year FakeAV
2011 year FakeAV
2012 year FakeAV
2013 year FakeAV

remark end

Windows Accelerator Pro
https://www.virustotal.com/en/file/6946 ... 388598425/ > 6/46
http://web-sniffer.net/index.php?url=ht ... =GET&uak=0

Network activities:

Code: Select all

http://zocrxiyds.freetzi.com/1.php
• dns: 1 ›› ip: 69.162.82.253 - adresse: ZOCRXIYDS.FREETZI.COM
http://c3913c6c.webantiviruslk.pl/index.html
• dns: 1 ›› ip: 109.236.86.172 - adresse: C3913C6C.WEBANTIVIRUSLK.PL
---
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=2600&5=1&6=1111&7=obqrhutjgv
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
http://94.185.80.155/customgate2/?callback=jQuery17203112214965869417_1388599195453&name=Xylibox+Labs&email=xylitol%40malwareint.com&num=4111111111111111&cvv=147&year=2017&month=05&phone=3-478-856-54-05&address=123+winlocker+street&country=FRA&state=XX&zip=75000&option=0&support=false&id=1&sub_id=1&install_id=obqrhutjgv&project_id=9&serial=EWBWF-QYHBS-XGTGK-EH0A&_=1388599353015
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195454&transaction_id=646959059412b4308a4c613844951708&_=1388599356453
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195455&transaction_id=646959059412b4308a4c613844951708&_=1388599359469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195456&transaction_id=646959059412b4308a4c613844951708&_=1388599362469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195457&transaction_id=646959059412b4308a4c613844951708&_=1388599365469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195458&transaction_id=646959059412b4308a4c613844951708&_=1388599368469
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv

--

Code: Select all

fakeav://payandsec.com/p/?group=sgp&nid=9A93E62D&affid=85700&lid=0040&ver=0040 https://www.virustotal.com/en/ip-address/178.162.199.33/information/
fakeav://sgpsupport.com/

https://www.virustotal.com/en/ip-addres ... formation/
https://www.virustotal.com/en/ip-addres ... formation/

[Win32:Virut]

Windows Accelerator Pro

https://www.virustotal.com/en/file/4b68 ... 388598874/

[dairu87]

Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?

[patriq]

Ran across a reallllly nasty Fake AV today... I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?

no sample or hash of the file?

don't think you will find much without those details.. good luck anyways.

[malwareMD]

thanks for sharing, we have also seen similar variants in past week.

[Cody Johnston]

thanks for sharing, we have also seen similar variants in past week.

It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory.

It also dumps around 10-12 randomly named .exe's into the syswow64 directory.

Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)

[Cody Johnston]

Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?

Attached the dropper, it was in %localappdata% in random named folder. Looks like Cidox.B was the bootkit on this one.

Publisher BitMefender S.R.L.

MD5 204806d51d301a99be49b8882a791cfc
https://www.virustotal.com/en/file/10cc ... 389139839/

[bitstechs]

Hmm, must have good anti-vm on that dropper Cody. I've got my virtual box patched for anti-vm and the virus doesn't want to infect it, any thoughts or work arounds?

[Win32:Virut]

[hx1997]

Smart Guard Protection - Malware Security Suite

VT low detection 3 / 45
https://www.virustotal.com/en/file/2304 ... 389528458/

捕获3.png (330.54 KiB) Viewed 2177 times