Saturday, November 19, 2011

Protection Center (FakeAV) - 11.19.2011 - Analysis and Removal

First it messes with the .exe file association so that you won't be able to run programs.

There's .inf and .reg patches to fix this.

Registry Keys Infected:

Folders Infected:
c:\program files\protection center (Rogue.ProtectionCenter)

Files Infected:
c:\documents and settings\infectedxp\local settings\temp\asd3.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\asd4.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\asd5.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\kernel64xp.dll
c:\documents and settings\infectedxp\local settings\temp\wscsvc32.exe
c:\program files\protection center\cnt.db

has same icon as Zentom System Guard (fakeAV)

if MBAM is installed, it will claim that MBAM is infected and will launch its uninstaller.

Ensiferum - Victory Song

Saturday, November 12, 2011

System Restore v1.1 (FakeAV) - 11.12.2011 - Analysis and Removal

JGFMXz1Ipf65 and JGFMXz1Ipf65.exe in %CommonAppData%

"System Restore" entry in the start menu and an icon on the desktop.

Mostly likely will need to make use of TDSSKiller as appears it installs a TDLFS and Rookit.Boot.SST.b which causes browser redirects.

Funf D - Counted

Thursday, November 10, 2011

Dorkbot (Worm) - 11.10.2011 - Analysis and Removal

Creates a heh.cmd file with the following commands:
ping -n 15
taskkill /f /im gagajeje.exe
taskkill /f /im marcia.exe
taskkill /f /im hula.exe
taskkill /f /im official27.exe
taskkill /f /im ev0ga.exe
ping -n 15

Creates the following files in user's %appdata%:
13.exe, 14.exe, 15.exe, 16.tmp, 17.exe, Ahiaia.exe.

Creates "kakao2" folder in user %appdata%.

"newmoon15.exe" in startup menu

a c:\documents folder according to CF.

Music: Bassnectar - Bass Head (MRK1 remix)

Friday, November 04, 2011

Privacy Protection (FakeAV) - 11.05.2011 - Analysis and Removal

"Privacy Protection" is a fake AV in the same category as "Cloud Protection".

Most likely will come bundled with a newer variant of the Max++/Sirefef/ZeroAccess rootkit

Audio: Those Two Guys - 33 Rev (Blake Jarrell and Starkid Mix)