Clicking the continue button will download the FakeAV Malware. This FakeAV malware will come with the filename "install.exe".
File information:
Filename: install.exe
file size: 1,255,489 bytes
MD5: 6D4DCF6FAC03E32D6C26A8AF7FC9A060
SHA1: 9A45F91A2DDCD295472736E3C4B5C5F17541CF67
CRC-32: 372C2196
Once you download and execute the install.exe from the said site, it will pop up the following message box:
During execution, this FakeAV malware will create a random folder in the following folder:
%root%:\Documents and Settings\All Users\Application Data\
then, it will drop a copy of itself with a random filename in the created folder.
(example: C:\Documents and Settings\All Users\Application Data\23572019\23572019.exe)
Then it will create the following autostart registries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%random% = "%FakeAV path and Filename%"
(example: 23572019 = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\23572019\23572019.exe")
It will also create the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\%random%
FirstRun = hex:%random%
This FakeAV malware will then display a Fake scanning of Security tool.
If you close the fake Security tool window, it will display a message with an icon from the taskbar.
Once the fake scanning is finish, it will display a window that shows your system is infected by several malwares.
Clicking the "Remove all threats now" will display a window to activate this Fake Security tool.
If you click to activate this Fake Security tool, it will connect to 1 of the following site to display a payment method on activating this fake Security tool:
1. hxxp://invoicefish.com/buy2.php?affid=33220
2. hxxp://invoiceerica.com/buy2.php?affid=33220
Providing your credit card information is the same as giving it to the hacker.
Additional behavior
This FakeAV malware is also capable of dropping of shortcut in windows desktop with filename "Security Tool.lnk". This shortcut points to the dropped malware file.
It also modify the following registry value to change the wallpaper of the infected machine:
HKEY_CURRENT_USER\Control Panel\Desktop
From: Wallpaper
To: _Wallpaper
It is also capable of connecting to the following site:
hxxp://yourprotectiongroup.com/in.php?affid=33220&url=5&win=%windows version%+%FakeAVversion%
where %windows version% is 1 of the following which depends on the affected system:
-Unknown
-Windows NT 3
-Windows NT 4
-Windows 95
-Windows 98
-Windows ME
-Windows 2000
-Windows XP
-Windows 2003
-Windows Vista
-Windows Seven
Connection to the said site will report the version of windows OS and the FakeAV installed in the affected system to the malicious site. As of this writing (12/9/2009), the in.php contains code that may update a copy of the FakeAV malware by connecting to the following site:
hxxp://yourprotectiongroup.com/downloader.php?affid=00000
It also contains code that may display another fake infection report.
This is a technique by the malware writers to expose your user and credit card information.
Also, As of this writing (12/8/2009), this FakeAV sample that I found is not yet detected by most legitimate Antivirus software (please click the image below). So beware.
Click here for the original scan result[12/9/2009 updates]
Another downloaded file that is not yet detected by most legitimate Antivirus software
File information:
Filename: install.exe
file size: 1,256,001 bytes
MD5: A8005F760480B1B7F20D2EEC30C7FF80
SHA1: 9DFC5084A749210FD76840DE49C376517FC34543
CRC-32: 7B203701
Click here for the scan result.
No comments:
Post a Comment