Malware Analysis and Removal

Panda Security Creates ZeroAccess Cleaning Tool (Yorkyt.exe) - Removes Abnow Redirect

2012-03-15T18:29:00.012-06:00

Panda Security has created an AntiZeroAccess tool that works very well compared to others I have tested in the past. In fact, it practically removed every trace of ZeroAccess minus 2-3 dormant files. What really impressed me was that it was able to delete the heart of ZeroAccess, the $NtUninstallKBXXXXX$ folder. I am posting my results from the scans and information I was able to gather. I used

Best Virus Protection (FakeAV) bundled with RLoader (Rootkit) - 03.08.2012 - Analysis and Removal

2012-03-08T20:48:00.003-06:00

This was performed on a virtual machine. __________________________________________________________________________________ Looks similar to Microsoft Security Essentials, a legitimate antivirus. It is not very aggressive. Here is one of the alerts to the right: __________________________________________________________________________________ RogueKiller ¤¤¤ Bad processes: 1 ¤¤¤ [

ZeroAccess Authors Are Now Faking Company Name: Iomega

2012-03-06T03:45:00.004-06:00

In a previous post I mentioned that ZeroAccess authors were faking the Company name: Oak Technologies Inc. Well, they have changed who they want to disguise their malicious .dll files to the company Iomega. Oak Technologies Inc. will still be used but be prepared to start looking out for files with the company name Iomega as well. ____________________________________________________________

Windows 8 Consumer Preview - Windows Smart Partner (FakeAV) - 03.03.2012 - Analysis and Removal

2012-03-03T19:16:00.011-06:00

This is the new Metro UI in Windows 8 I figured I should start experimenting with Windows 8. What better way to learn Windows 8 than infecting the OS with a Fake Antivirus and then removing it? :-D I did disable Windows Defender before I was able to get infected. Windows Defender was actually blocking my previous attempts to get infected :-) So far I am impressed with the new Windows Defender

Smart Fortress 2012 (FakeAV) - 02.29.2012 - Analysis and Removal

2012-02-29T18:00:00.000-06:00

This was performed on a virtual machine __________________________________________________________________________________ Smart Fortress 2012 is an improvement of Smart Protection 2012. You may have a difficult time getting Windows Explorer (explorer.exe) to launch if you start out in Normal Mode after a reboot. I started my removal from Safe Mode because of this. ___________________________

Windows Telemetry Center (FakeAV) - 02.26.2012 - Analysis and Removal

2012-02-26T03:56:00.004-06:00

This was performed on a virtual machine __________________________________________________________________________________ Same family as Windows Functionality Checker and Security Antivirus. It was basically exactly the same as Windows Functionality Checker. Even the number of bad registry entries at KEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options

Ecops (Ransom Trojan) - 02.25.2012 - Analysis and Removal

2012-02-25T01:53:00.001-06:00

This was performed on a virtual machine This is a trojan that infects the following files: C:\Windows\explorer.exe C:\Windows\system32\dllcache\explorer.exe The Company Name of both explorer.exe files was: Belkin Corporation The MD5 hash value of both explorer.exe files was: cc3031638f4aef9c8d4062bb3103140b (VT) This trojan prevents you from doing anything in both Safe Mode and Normal Mode

Windows Functionality Checker (FakeAV) bundled with ZeroAccess (Rootkit) - 02.23.2012 - Analysis and Removal

2012-02-23T16:19:00.012-06:00

This was performed on a virtual machine __________________________________________________________________________________ Looks very similar to Security Antivirus. It definitely packs more of a punch though and I'm not just referring to the ZeroAccess rootkit that was bundled in the sample I ran. Instead of modifying the hosts file, it creates hundreds (700+) of bad entries in this key:

Security Scanner 2012 (FakeAV) - 02.23.2012 - Analysis and Removal

2012-02-23T03:13:00.004-06:00

This was performed on a virtual machine__________________________________________________________________________________Much like Security Shield 2011, upon first injection, you will be notified that the " has been installed successfully!". Does not matter if you press X or OK, you are already infected and the Fake AV will start automatically "scanning" your system._____________

Internet Security (FakeAV) - 02.23.2012 - Analysis and Removal

2012-02-23T02:28:00.005-06:00

This was performed on a virtual machine__________________________________________________________________________________ This one is very similar to Privacy Protection. This entire infection, minus any potential bundled rootkits is all tied into a single bad .exe (isecurity.exe) in the %allusersprofile% directory. _________________________________________________________________________________

ZeroAccess Authors Are Now Faking Company Name: Oak Technology Inc.

2012-02-18T15:52:00.007-06:00

First, I should mention that, Oak Technology Inc is a legitimate company that designs, develops, and markets high-performance multimedia semiconductors and related software to original equipment manufacturers worldwide who serve the multimedia PC, digital video consumer electronics, and digital office equipment markets. For more information, read here: Wiki Similar to how many malware authors

Max++ / Sirefef / ZeroAccess Rootkit Analysis and Full Removal Procedure by Thisisu - Volume IV

2012-02-11T14:10:00.001-06:00

Hello, Yesterday when I was only looking for FakeAVs to analyze, I ended up getting a surprise which was a ZeroAccess rootkit. After months of purposely trying to infect a virtual machine with this rootkit (so I didn't have to keep infecting my own live computer with it for analysis purposes), I had pretty much convinced myself that every ZeroAccess dropper had some sort of anti "VMdetect" code

Security Monitor 2012 (FakeAV) - 02.09.2012 - Analysis and Removal

2012-02-09T02:08:00.003-06:00

This was performed on a virtual machine__________________________________________________________________________________ MBAM Registry Keys Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Monitor 2012 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|jo50nluvu7bb (

Smart Protection 2012 (FakeAV) - 02.08.2012 - Analysis and Removal

2012-02-08T13:03:00.008-06:00

This was performed on a virtual machine I found this one very similar to Security Sphere 2012. Full report with video here. Upon infection, the screen above appears and starts to "scan" your system automatically. Whenever the "scan" is finished, the screenshot to the right will appear. These are all fake notices that your PC is infected as Smart Protection 2012 is not legitimate to begin with.A

Internet Defender (FakeAV) - 02.05.2012 - Analysis and Removal

2012-02-05T03:47:00.002-06:00

This was performed on a virtual machine Here is what you may receive before actually getting infected. A warning message similar to the following: Pressing OK prompts you download and run a suspicious .exe file. In my case it was "SETUP_SECURITY_DEFENDER_704[1].EXE". This is your last chance to avoid getting infected. If you choose OK, Internet Defender starts scanning your PC and falsely

XP Antispyware 2012 (FakeAV) - 01.20.2012 - Analysis and Removal

2012-01-20T20:38:00.001-06:00

This was performed on a live (not Virtual) machine. Important to note that this particular machine came with two different FakeAVs: XP Antispyware 2012 and System Check which I've covered earlier here.__________________________________________________________________________________ RogueKiller ¤¤¤ Bad processes: 4 ¤¤¤ [WINDOW : System Check] aG6mmkUgRr179B.exe -- C:\Documents and Settings

System Check (FakeAV) - 01.17.2012 - Analysis and Removal

2012-01-17T21:09:00.006-06:00

This was performed on a live (not Virtual) machine. It's important to note that this particular computer was not booting properly when I first received it. Most likely it was due to the rootkit present (Virus.Win32.Rloader.a) and not the FakeAV as has been the case with other PCs with this type of infection. After booting off a Windows 7 RE disc and performing a sfc /scannow while offline (sfc /

Vista Security 2012 (FakeAV) - 01.10.2012 - Analysis and Removal

2012-01-10T20:08:00.005-06:00

This was performed on a live (not Virtual) machine. Here is what was loaded when I first turned on the computer in Normal Mode. Lots of pop-ups as you see, this one was a bit more aggressive than some of the others I've seen. On top of it all I would get constant application errors regarding Norton Antivirus. ZeroAccess rootkit had a snack ;-) Here is the screen you will be brought to if

How To: Use Kaspersky Rescue Disk To Scan and Remove Malware

2012-01-08T04:23:00.001-06:00

Kaspersky Rescue Disk 10 can be downloaded hereOnly to be used in extreme cases where normal malware methods are not working You have to press any key on the keyboard in order to continue using the Kaspersky Rescue Disk. Choose your language. English is the default selected language. Press Enter to make your selection. Press Enter for "Graphic Mode". Please be patient,

How To: Use GParted To Remove Hidden TDL4 Partition

2012-01-08T03:09:00.008-06:00

These are based on the original instructions I created for a user on November 17th 2011, when we first started seeing this types of infections on the Malware Removal forums at MajorGeeks. For those that do not know about the latest TDL4 infections, more can be read at: TDL4 Infection Update Win32/Olmasco MAXSS Pihar I have updated the tutorial guide for the latest stable version of GParted

Win 7 Antispyware 2012 (FakeAV) - 01.06.2012 - Analysis and Removal

2012-01-06T20:05:00.002-06:00

This was performed on a live (not Virtual) machine. I just happened to open the Action Center and noticed the below screenshot which I thought was interesting, but probably not anything new. RogueKiller ¤¤¤ Bad processes: 1 ¤¤¤ [SUSP PATH] Smad.exe -- C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 17 ¤¤¤ [SUSP PATH] HKCU\[...]\

System Fix (FakeAV) - 12.19.2011 - Analysis and Removal

2011-12-19T20:10:00.001-06:00

This was performed on a live (not Virtual) machine. RogueKiller ¤¤¤ Registry Entries: 7 ¤¤¤ [SUSP PATH] HKLM\[...]\Run : VuCWtdJYrTTuTWk.exe (C:\Documents and Settings\All Users.WINDOWS\Application Data\VuCWtdJYrTTuTWk.exe) -> DELETED [HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> DELETED [HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1) [WallPP] HKCU\[

Security Shield 2011 (FakeAV) - 12.17.2011 - Analysis and Removal

2011-12-17T19:38:00.001-06:00

This was performed on a live (not Virtual) machine. RogueKiller ¤¤¤ Bad processes: 1 ¤¤¤ [SUSP PATH] uijultenx.exe -- C:\DOCUME~1\BFF093~1.MAU\LOCALS~1\APPLIC~1\uijultenx.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 3 ¤¤¤ [SUSP PATH] HKCU\[...]\Run : cdloader ("C:\Documents and Settings\B.F. Maupin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK) -> FOUND [SUSP PATH] HKUS\S-1-5-21

Windows 7 Internet Security 2012 (FakeAV) -- The Aftermath...

2011-12-15T03:16:00.000-06:00

This article also applies to Windows 7 AntiSpyware 2012 These particular FakeAVs aim to break the Windows 7 Firewall as well as attempting to scam you for your financial information -- and they are very successful. Earlier this week at work, I had the pleasure of working on a PC with this infection. I had known before hand that the Firewall would have been compromised; and it was. First I

Protection Center (FakeAV) - 11.19.2011 - Analysis and Removal

2011-11-19T00:49:00.000-06:00

====notes==== First it messes with the .exe file association so that you won't be able to run programs. There's .inf and .reg patches to fix this. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 Folders Infected: c:\program files\protection

System Restore v1.1 (FakeAV) - 11.12.2011 - Analysis and Removal

2011-11-12T01:32:00.000-06:00

====notes==== JGFMXz1Ipf65 and JGFMXz1Ipf65.exe in %CommonAppData% "System Restore" entry in the start menu and an icon on the desktop. Mostly likely will need to make use of TDSSKiller as appears it installs a TDLFS and Rookit.Boot.SST.b which causes browser redirects. ====music==== Funf D - Counted

Dorkbot (Worm) - 11.10.2011 - Analysis and Removal

2011-11-10T01:32:00.000-06:00

====notes==== Creates a heh.cmd file with the following commands: ping -n 15 127.0.0.1 taskkill /f /im gagajeje.exe taskkill /f /im marcia.exe taskkill /f /im hula.exe taskkill /f /im official27.exe taskkill /f /im ev0ga.exe ping -n 15 127.0.0.1 ev0ga.exe Creates the following files in user's %appdata%: 13.exe, 14.exe, 15.exe, 16.tmp, 17.exe, Ahiaia.exe. Creates "kakao2" folder in user %appdata

Privacy Protection (FakeAV) - 11.05.2011 - Analysis and Removal

2011-11-04T23:47:00.000-06:00

"Privacy Protection" is a fake AV in the same category as "Cloud Protection". Most likely will come bundled with a newer variant of the Max++/Sirefef/ZeroAccess rootkit Audio: Those Two Guys - 33 Rev (Blake Jarrell and Starkid Mix)

System Security 2011 (FakeAV) - 11.01.2011 - Analysis and Removal

2011-11-01T19:09:00.000-06:00

Performed on a Virtual Machine.

TDL4 (Rootkit) - 10.29.2011 - Analysis and Removal

2011-10-29T16:15:00.000-05:00

TDL4

System Restore (FakeAV) - 10.26.2011 - Analysis and Removal

2011-10-26T16:27:00.000-05:00

This was performed on a Virtual Machine. The infection places the hidden attribute on the entire OS drive.

Security AntiVirus (FakeAV) - 10.22.2011 - Analysis and Removal

2011-10-23T19:32:00.001-05:00

This was performed on a Virtual Machine. Modifies host file Some obvious traces missed by MBAM shown.

Security Sphere 2012 (FakeAV) - 10.22.2011 - Analysis and Removal

2011-10-23T19:31:00.001-05:00

This was performed on a Virtual Machine.

Zentom System Guard (FakeAV) - 10.20.2011 - Analysis and Removal

2011-10-23T19:30:00.000-05:00

This was done on a Virtual Machine on 10.20.2011 Possibly included a ZeroAccess driver if it were not for me being on a VM. Did not find the random RunOnce registry .exe spawns like I wanted to analyze.

Max++/Sirefef/ZeroAccess Rootkit Analysis . Volume III

2011-10-23T19:29:00.000-05:00

Testing ESET's removal tool for this infection. Results shown.

Max++/Sirefef/ZeroAccess Rootkit Analysis . Volume II

2011-10-23T19:27:00.000-05:00

Max++/Sirefef/ZeroAccess Rootkit Analysis

2011-10-23T19:26:00.000-05:00

September 2011 max++/sirefef/zaccess sample used. ComboFix did warn that TCP/IP was infected as well but I didn't capture that footage unfortunately. The video program I was using must have closed. The same happened when I was testing RKill and RogueKiller. Both were unsuccessful. Prior to removing any components of infection, here are the results of various tools: webroot's antiza tool