Saturday, November 19, 2011
Protection Center (FakeAV) - 11.19.2011 - Analysis and Removal
====notes====
First it messes with the .exe file association so that you won't be able to run programs.
There's .inf and .reg patches to fix this.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080
Folders Infected:
c:\program files\protection center (Rogue.ProtectionCenter)
c:\windows\csc\d6
Files Infected:
c:\documents and settings\infectedxp\local settings\temp\asd3.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\asd4.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\asd5.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\kernel64xp.dll
c:\documents and settings\infectedxp\local settings\temp\wscsvc32.exe
c:\program files\protection center\cnt.db
has same icon as Zentom System Guard (fakeAV)
if MBAM is installed, it will claim that MBAM is infected and will launch its uninstaller.
====music====
Ensiferum - Victory Song
Saturday, November 12, 2011
System Restore v1.1 (FakeAV) - 11.12.2011 - Analysis and Removal
====notes====
JGFMXz1Ipf65 and JGFMXz1Ipf65.exe in %CommonAppData%
"System Restore" entry in the start menu and an icon on the desktop.
Mostly likely will need to make use of TDSSKiller as appears it installs a TDLFS and Rookit.Boot.SST.b which causes browser redirects.
====music====
Funf D - Counted
Thursday, November 10, 2011
Dorkbot (Worm) - 11.10.2011 - Analysis and Removal
====notes====
Creates a heh.cmd file with the following commands:
ping -n 15 127.0.0.1
taskkill /f /im gagajeje.exe
taskkill /f /im marcia.exe
taskkill /f /im hula.exe
taskkill /f /im official27.exe
taskkill /f /im ev0ga.exe
ping -n 15 127.0.0.1
ev0ga.exe
Creates the following files in user's %appdata%:
13.exe, 14.exe, 15.exe, 16.tmp, 17.exe, Ahiaia.exe.
Creates "kakao2" folder in user %appdata%.
"newmoon15.exe" in startup menu
a c:\documents folder according to CF.
====music====
Music: Bassnectar - Bass Head (MRK1 remix)
Friday, November 04, 2011
Privacy Protection (FakeAV) - 11.05.2011 - Analysis and Removal
"Privacy Protection" is a fake AV in the same category as "Cloud Protection".
Most likely will come bundled with a newer variant of the Max++/Sirefef/ZeroAccess rootkit
Audio: Those Two Guys - 33 Rev (Blake Jarrell and Starkid Mix)
Tuesday, November 01, 2011
Subscribe to:
Posts (Atom)