Wednesday, February 29, 2012

Smart Fortress 2012 (FakeAV) - 02.29.2012 - Analysis and Removal


This was performed on a virtual machine
__________________________________________________________________________________
Smart Fortress 2012 is an improvement of Smart Protection 2012.

You may have a difficult time getting Windows Explorer (explorer.exe) to launch if you start out in Normal Mode after a reboot.

I started my removal from Safe Mode because of this.
 __________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] 529C538A0010DF0D671FFFF1D151FC4E.exe -- C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D671FFFF1D151FC4E\529C538A0010DF0D671FFFF1D151FC4E.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 5 ¤¤¤
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKCR\.exe :  (529C5) -> REPLACED (exefile)

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤
 __________________________________________________________________________________
MBAM





Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Rogue.SmartFortress) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D671FFFF1D151FC4E\529C538A0010DF0D671FFFF1D151FC4E.exe (Rogue.SmartFortress) -> Quarantined and deleted successfully.
 __________________________________________________________________________________
MGtools





"C:\Documents and Settings\All Users\Application Data\"
529C53~1      Feb 29 2012              "529C538A0010DF0D671FFFF1D151FC4E"

"C:\Documents and Settings\thisisu\Desktop\"
smartf~1.lnk  Feb 29 2012        1324  "Smart Fortress 2012.lnk"

"C:\Documents and Settings\thisisu\Start Menu\Programs\"
SMARTF~1      Feb 29 2012              "Smart Fortress 2012"
 __________________________________________________________________________________
Icon comparisons:
1st

2nd

3rd

Posted by at No comments:
Labels:

Sunday, February 26, 2012

Windows Telemetry Center (FakeAV) - 02.26.2012 - Analysis and Removal

 This was performed on a virtual machine
 __________________________________________________________________________________
Same family as Windows Functionality Checker and Security Antivirus.

It was basically exactly the same as Windows Functionality Checker. Even the number of bad registry entries at KEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options was identical.


However, this time I managed to capture the loading screen of the FakeAV as seen to the right.

Unfortunately not much to report here as it was so identical to Windows Functionality Checker. Run RogueKiller first, rest should be very easy unless there is also rootkit activity.

___________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] Protector-hbf.exe -- C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe -> KILLED [TermProc]
[SUSP PATH] Protector-hbf.exe -- C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 756 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Inspector (C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : ackwin32.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : Ad-Aware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : adaware.exe (svchost.exe) -> DELETED

Once again, chose not to copy/paste the entire log here due to its size. Full log can be obtained from: http://pastebin.com/HCW4nBhu
___________________________________________________________________________________
MBAM





Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.

Files Detected: 3
C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Local Settings\Temp\RarSFX0\filesystemscan.exe (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Desktop\Windows Telemetry Center.lnk (Rogue.WindowsTelemetryCenter) -> Quarantined and deleted successfully.
___________________________________________________________________________________
MGtools





"C:\Documents and Settings\All Users\Start Menu\Programs\"
window~2.lnk  Feb 26 2012         848  "Windows Telemetry Center.lnk"
___________________________________________________________________________________
Posted by at No comments:
Labels:

Saturday, February 25, 2012

Ecops (Ransom Trojan) - 02.25.2012 - Analysis and Removal

This was performed on a virtual machine


This is a trojan that infects the following files:
  • C:\Windows\explorer.exe
  • C:\Windows\system32\dllcache\explorer.exe


The Company Name of both explorer.exe files was: Belkin Corporation
The MD5 hash value of both explorer.exe files was: cc3031638f4aef9c8d4062bb3103140b  (VT)

This trojan prevents you from doing anything in both Safe Mode and Normal Mode. You're only provided the screen from the screenshot at the top of this post.


The objective here is to restore a clean copy of explorer.exe to both of the above locations.
You need to boot from another device such as a CD, DVD, or USB or slave the infected hard drive to another working (booting) system.

There are many ways to do this; I will provide you with one fairly easy way.

This only applies to the Windows XP operating system!

If you are able to boot from your Windows XP CD, you will be presented with the below:


Press the letter "R" to "Repair a Windows XP installation using Recovery Console."


Press the number "1" to login to your appropriate Windows installation.

When you are at the command prompt window, type in the following two commands:
  • expand d:\i386\explorer.ex_ c:\windows\explorer.exe
  • expand d:\i386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe
The letter d: symbolizes your CD-Rom drive letter. Typically this is d:, but if you have more than one disc drive or multiple hard drives, it could be a different letter. In this case, I find it easiest to type map for a full listing of the drives in the system.

You should be asked to overwrite the existing files unless you have already deleted them. If asked, press "y" for yes. You want to replace the existing (infected) versions.

When both files have been successfully replaced, you should be able to boot into Windows normally again without the Ecops ransom message.
__________________________________________________________________________________ 
Posted by at No comments:
Labels:

Thursday, February 23, 2012

Windows Functionality Checker (FakeAV) bundled with ZeroAccess (Rootkit) - 02.23.2012 - Analysis and Removal

 This was performed on a virtual machine
 __________________________________________________________________________________
Looks very similar to Security Antivirus. It definitely packs more of a punch though and I'm not just referring to the ZeroAccess rootkit that was bundled in the sample I ran.

Instead of modifying the hosts file, it creates hundreds (700+) of bad entries in this key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.

This is something I needed to refamiliarize myself with as well. This article by a malware researcher at McAfee explained it very well (at least for me): Image File Execution Options

For example, this line is from RogueKiller: [IFEO] HKLM\[...]\Image File Execution Options : taskmgr.exe (C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe task) -> DELETED

Task Manager was just one of the many applications that was hijacked and would launch the FakeAV if opened.

Just to reiterate, you are not completely blocked from running Task Manager which is typically the case in the majority of FakeAVs. Most of the time the legitimate Task Manager will open and then immediately close and report that taskmgr.exe (Task Manager) is infected, remember? :-)

With this type of FakeAV,  Task Manager does not give you any errors, and will launch, but instead launches the FakeAV's version of Task Manager :grin
__________________________________________________________________________________
RogueKiller


¤¤¤ Bad processes: 4 ¤¤¤
[SUSP PATH] Protector-cxf.exe -- C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe -> KILLED [TermProc]
[SUSP PATH] Protector-cxf.exe -- C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe -> KILLED [TermProc]
[RESIDUE] Protector-cxf.exe -- C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe -> KILLED [TermProc]
[RESIDUE] Protector-cxf.exe -- C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 756 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Inspector (C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : ackwin32.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : Ad-Aware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : adaware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : advxdwin.exe (svchost.exe) -> DELETED

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!


I did not want to copy/paste all the information in this post due to its size. If interested, the full log can be obtained from here: http://pastebin.com/Hq79yqJe
 __________________________________________________________________________________
MBAM





Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.

Files Detected: 1
C:\Documents and Settings\infectedxp\Application Data\Protector-cxf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
 __________________________________________________________________________________
TDSSKiller





14:21:05.0039 0628    NetBT ( Virus.Win32.ZAccess.aml ) - infected
14:21:05.0039 0628    NetBT - detected Virus.Win32.ZAccess.aml (0)

14:21:16.0125 0632    C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
14:21:16.0255 0632    Backup copy found, using it..
14:21:16.0265 0632    C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
14:21:16.0546 0632    NetBT ( Virus.Win32.ZAccess.aml ) - User select action: Cure
 __________________________________________________________________________________ 
CF





(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB35486$
c:\windows\$NtUninstallKB35486$\1629779852
c:\windows\$NtUninstallKB35486$\1842931526\@
c:\windows\$NtUninstallKB35486$\1842931526\cfg.ini
c:\windows\$NtUninstallKB35486$\1842931526\Desktop.ini
c:\windows\$NtUninstallKB35486$\1842931526\L\anjgdmvc

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11776:UDP"= 11776:UDP:UDP 11776         <--- Delete this value
"20573:UDP"= 20573:UDP:UDP 20573         <--- Delete this value
"21174:TCP"= 21174:TCP:TCP 21174           <--- Delete this value
"10118:TCP"= 10118:TCP:TCP 10118           <--- Delete this value
 __________________________________________________________________________________
MGtools





"C:\Documents and Settings\All Users\Start Menu\Programs\"
window~3.lnk  Feb 23 2012         875  "Windows Functionality Checker.lnk"

"C:\Documents and Settings\infectedxp\Desktop\"
window~1.lnk  Feb 23 2012         841  "Windows Functionality Checker.lnk"

"C:\Documents and Settings\infectedxp\Application Data\"
result.db           Feb 23 2012          282  "result.db"
__________________________________________________________________________________
Misc Notes:
Has a fancy loading screen :-P I did not screenshot this
MBAM "hanged" twice when trying to delete all the bad registry entries. Used RogueKiller instead.
No other residual OS damage. NetBT (internet related) was successfully restored with TDSSKiller.
___________________________________________________________________________________
Posted by at 2 comments:
Labels:

Security Scanner 2012 (FakeAV) - 02.23.2012 - Analysis and Removal

This was performed on a virtual machine
__________________________________________________________________________________
Much like Security Shield 2011, upon first injection, you will be notified that the "<Name of Fake AV> has been installed successfully!".

Does not matter if you press X or OK, you are already infected and the Fake AV will start automatically "scanning" your system.
__________________________________________________________________________________
 For this one, I gave MBAM's Chameleon a try to kill the bad process (fzbif.exe) from running.




It works quite nicely and is a handy feature to use if you are able to install MBAM or already have it installed. This is available to all MBAM users whether you are using the paid version of MBAM or not.

Simply go into the C:\Program Files\MalwareBytes' Anti-Malware\Chameleon
folder and start trying to run the files there.

There is even a help text file here if you need additional assistance. It is called chameleon.chm

__________________________________________________________________________________
MBAM





Files Detected: 1
C:\Documents and Settings\infectedxp\Local Settings\Application Data\fzbif.exe (Trojan.Agent) -> Quarantined and deleted successfully.
__________________________________________________________________________________
Misc Notes:
Two associated icons in the bottom right corner of the taskbar.
___________________________________________________________________________________
Posted by at No comments:
Labels:

Internet Security (FakeAV) - 02.23.2012 - Analysis and Removal

 This was performed on a virtual machine
__________________________________________________________________________________
This one is very similar to Privacy Protection.
This entire infection, minus any potential bundled rootkits is all tied into a single bad .exe (isecurity.exe) in the %allusersprofile% directory.
__________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : Internet Security] isecurity.exe -- C:\Documents and Settings\All Users\Application Data\isecurity.exe -> KILLED [TermProc]
[SUSP PATH] isecurity.exe -- C:\Documents and Settings\All Users\Application Data\isecurity.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\isecurity.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1844237615-688789844-842925246-1003[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\isecurity.exe) -> FOUND

¤¤¤ Infection : Rogue.AntiSpy-SP ¤¤¤
 __________________________________________________________________________________
MBAM





Files Detected: 2
C:\Documents and Settings\All Users\Application Data\isecurity.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
__________________________________________________________________________________
MGtools



 

"C:\Documents and Settings\All Users\Desktop\"
intern~1.lnk  Feb 23 2012         794  "Internet Security.lnk"
__________________________________________________________________________________
Misc notes:
Use a tool such as RogueKiller or RKill to stop isecurity.exe from running. The majority of .exe applications will be immediately closed and reported as infected until you do.
___________________________________________________________________________________
Posted by at No comments:
Labels:

Saturday, February 18, 2012

ZeroAccess Authors Are Now Faking Company Name: Oak Technology Inc.

First, I should mention that, Oak Technology Inc is a legitimate company that designs, develops, and markets high-performance multimedia semiconductors and related software to original equipment manufacturers worldwide who serve the multimedia PC, digital video consumer electronics, and digital office equipment markets. For more information, read here: Wiki

Similar to how many malware authors fake the company name: Microsoft Corporation, to avoid detection and removal of their files, services, and drivers, it seems now the authors behind ZeroAccess are going for a more subtle approach with Oak Technology Inc.

The latest ZeroAccess infections which MBAM labels RootKit.0Access.H include a malicious .DLL file in the C:\WINDOWS\system32 directory. For example:  C:\WINDOWS\system32\downloadmanagerlite.dll

MalwareBytes's Anti-Malware seems to be on top of this but one thing it neglects is the ability to find and remove the bad NetSvcs (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|netsvcs) data value associated with this .DLL

For example, this was taken from an OTL log (Old Timer's List It) with this new variant of ZeroAccess:

NetSvcs: ksthunk - C:\WINDOWS\system32\downloadmanagerlite.dll (Oak Technology Inc.)

So as you can see, not only is there a bad .DLL file in system32 (downloadmanagerlite.dll), but it is also tied into a bad NetSvcs data value (ksthunk).

That's not the end of it though. There is also a bad service, usually with the same name as the NetSvcs data value.

The below was also taken from an OTL log:

SRV - [2008/04/13 17.14.22 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\downloadmanagerlite.dll -- (ksthunk)

This service (ksthunk) is also problematic and needs to be stopped and deleted.

To ensure complete removal, all three components need to be deleted.

Symptoms include:
High CPU usage
"Wild ping" which I assume means ping.exe is constantly being used.

Just providing some examples from what others have mentioned

With this rootkit constantly being improved, expect other legitimate company names to be used.

Just something to look out for :-)


=========================================
Edit: MBAM can now find and delete NetSvcs data values!
=========================================

Just saw the below in one of the threads I am currently working on:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^n^ -> Quarantined and deleted successfully.
Posted by at 4 comments:
Labels:

Saturday, February 11, 2012

Max++ / Sirefef / ZeroAccess Rootkit Analysis and Full Removal Procedure by Thisisu - Volume IV

Hello,

Yesterday when I was only looking for FakeAVs to analyze, I ended up getting a surprise which was a ZeroAccess rootkit. After months of purposely trying to infect a virtual machine with this rootkit (so I didn't have to keep infecting my own live computer with it for analysis purposes), I had pretty much convinced myself that every ZeroAccess dropper had some sort of anti "VMdetect" code which blocked me from doing so. So after making three videos of me infecting my own computer with three different ZeroAccess droppers (and learning A LOT!), I resorted to posting the results of other live machines I encountered with the rootkit.

These two videos show me injecting a virtual machine with about 8 droppers that were labeled "Fake AV / Fake Recovery". Turns out one of them infected my Windows XP virtual machine with ZeroAccess too :)

So without further a due.. here is my experience recorded on video:


If you enjoyed the videos, subscribe to my blog or leave me a comment :-)
Posted by at No comments:
Labels:

Thursday, February 09, 2012

Security Monitor 2012 (FakeAV) - 02.09.2012 - Analysis and Removal

 
This was performed on a virtual machine
__________________________________________________________________________________
MBAM

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|jo50nluvu7bb (Trojan.FakeAlert) -> Data: C:\Documents and Settings\infectedxp\Desktop\e8c572741be7ef52e20e97b91a780ec1.exe -> Quarantined and deleted successfully.

Files Detected: 7
C:\Documents and Settings\infectedxp\Desktop\e8c572741be7ef52e20e97b91a780ec1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012\Security Monitor.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012\securityhelper.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012\securitymanager.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\w32rim_mem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Local Settings\temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
__________________________________________________________________________________
MGtools

"C:\Documents and Settings\infectedxp\Application Data\"
SECURI~1      Feb  9 2012              "Security Monitor 2012"

 Directory of C:\Documents and Settings\infectedxp\Application Data\Security Monitor 2012

02/09/2012  01:14 AM    <DIR>          .
02/09/2012  01:14 AM    <DIR>          ..
02/01/2012  04:43 AM               894 IcoActivate.ico
02/01/2012  04:43 AM               894 IcoHelp.ico
02/01/2012  04:43 AM               894 IcoUninstall.ico
               3 File(s)          2,682 bytes
               2 Dir(s)   7,837,241,344 bytes free


"C:\Documents and Settings\infectedxp\Desktop\"
securi~1.lnk  Feb  9 2012        1940  "Security Monitor 2012.lnk"

"C:\Documents and Settings\infectedxp\Start Menu\Programs\"
SECURI~1      Feb  9 2012              "Security Monitor 2012"
securi~1.lnk  Feb  9 2012        1940  "Security Monitor 2012.lnk"
__________________________________________________________________________________
Notes:

You can kill all 3 bad processes within the Task Manager:
  • Security Monitor.exe
  • securityhelper.exe
  • securitymanager.exe  
However, one of these processes turns your entire screen a very dark gray color and it almost appears as though you will have to reboot to do anything further. Windows + R does not work but Ctrl+Shift+Esc will. This will launch the Task Manager so you can end the processes above. Then your background will return to its original state. If worse comes to worse, boot into Safe Mode for a higher chance of success as most FakeAVs won't automatically launch there.

Among the many pop-ups and warnings from 3 different processes, there is also embedded audio into the Security Monitor.exe file / process. It's a female voice that constantly blurts out something along the lines of  "Infection found". It is highly advisable to turn your volume down if you are having trouble stopping the processes quickly :-)

Also I find it important to note that there is a bad registry entry that only wants to execute the bad .exe you downloaded. In my case it was: e8c572741be7ef52e20e97b91a780ec1.exe. You can see that this file is on my desktop.

This is the .exe that spawns the other 3 bad processes mentioned above. So upon every reboot, if this registry value is there (as well as the .exe it points to), it will recreate all 3 bad files in %appdata%.
___________________________________________________________________________________
Posted by at No comments:
Labels:

Wednesday, February 08, 2012

Smart Protection 2012 (FakeAV) - 02.08.2012 - Analysis and Removal

This was performed on a virtual machine


I found this one very similar to Security Sphere 2012. 
Full report with video here. Upon infection, the screen above appears and starts to "scan" your system automatically. Whenever the "scan" is finished, the screenshot to the right will appear. These are all fake notices that your PC is infected as Smart Protection 2012 is not legitimate to begin with.
A tip, if you did not install it and execute it yourself, a red flag
should go off that this is all faked and created by malware coders.
This one, however, is not very difficult to remove.
Below are other prompts you may be presented with.

 






__________________________________________________________________________________
RogueKiller





¤¤¤ Registry Entries: 1 ¤¤¤
[SUSP PATH] HKCU\[...]\RunOnce : 529C538A01ACD5B85EA115DBD151FC4E (C:\Documents and Settings\All Users\Application Data\529C538A01ACD5B85EA115DBD151FC4E\529C538A01ACD5B85EA115DBD151FC4E.exe) -> DELETED
__________________________________________________________________________________
MBAM





Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Protection 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\529C538A01ACD5B85EA115DBD151FC4E\529C538A01ACD5B85EA115DBD151FC4E.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
__________________________________________________________________________________
MGtools





 "C:\Documents and Settings\All Users\Application Data\"
529C53~1      Feb  8 2012              "529C538A01ACD5B85EA115DBD151FC4E"

"C:\Documents and Settings\infectedxp\Desktop\"
smartp~1.lnk  Feb  8 2012        1328  "Smart Protection 2012.lnk"

"C:\Documents and Settings\infectedxp\Start Menu\Programs\"
SMARTP~1      Feb  8 2012              "Smart Protection 2012"
__________________________________________________________________________________
Misc notes:

You will need a tool like RogueKiller to stop the bad process first as Task Manager will be reported as infected.
Even applications like Paint (mspaint.exe) will report as infected.

Most of these types of infections nowadays are coming bundled with a rootkit e.g. ZeroAccess.
The FakeAV itself is not intended to slow your PC down, just there to attempt to scam you for financial information.
A rootkit however, will dramatically slow down your PC or in worst case scenario cause the PC not to boot.

I recommend checking for rootkits first with TDSSKiller. Contrary to popular belief, I tend to run ComboFix as one of my very last scans. I do not use ComboFix as a rootkit scanner, rather I prefer to use it to remove some of the final traces of a ZeroAccess rootkit.
___________________________________________________________________________________
Posted by at No comments:
Labels:

Sunday, February 05, 2012

Internet Defender (FakeAV) - 02.05.2012 - Analysis and Removal

This was performed on a virtual machine


Here is what you may receive before actually getting infected.
A warning message similar to the following:
Pressing OK prompts you download and run a suspicious .exe file. In my case it was "SETUP_SECURITY_DEFENDER_704[1].EXE". This is your last chance to avoid getting infected.


If you choose OK, Internet Defender starts scanning your PC and falsely claims you are infected with malware. When in fact, "Internet Defender" is the malware!

Luckily this one is not overbearing and you are allowed to end the task from the task manager which for me was a command run within rundll32.exe.


Here is where the "Activate" or "Remove All" buttons will take you. Remember, you should never enter any information. This is all created by malware coders in an attempt to scam you for financial information.
__________________________________________________________________________________
SAS

 Trojan.Agent/Gen-Reveton
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\CD64E813-B88C-2363-C505-6DF419E1973E.AVI
    C:\DOCUMENTS AND SETTINGS\INFECTEDXP\APPLICATION DATA\CD64E813-B88C-2363-C505-6DF419E1973E.AVI
    C:\WINDOWS\SYSTEM32\CD64E813-B88C-2363-C505-6DF419E1973E.AVI

Trojan.Agent/Gen-FakeDefender
    C:\DOCUMENTS AND SETTINGS\INFECTEDXP\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4K06JYK8\SETUP_SECURITY_DEFENDER_704[1].EXE
__________________________________________________________________________________
MBAM

Files Detected: 5
C:\Documents and Settings\infectedxp\Local Settings\Application Data\CD64E813-B88C-2363-C505-6DF419E1973E.avi (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Desktop\Internet Defender.lnk (Rogue.InternetDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\infectedxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Defender.lnk (Rogue.InternetDefender) -> Quarantined and deleted successfully.
C:\Program Files\Internet Defender\Internet Defender.dll (Rogue.InternetDefender) -> Quarantined and deleted successfully.
C:\Program Files\Internet Defender\Internet Defender.ico (Rogue.InternetDefender) -> Quarantined and deleted successfully.
___________________________________________________________________________________
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)