We've got FakeAV during Christmas

Just found another popular FakeAV malware that is not yet detected by most AV vendors.

File information:
Filename: Start.exe
File size: 250,624 bytes
MD5: A0B4084581CD7C00C078532201CA1A14
SHA1: BD040DA889DA8333AE66C60B48B3E2951066834C
CRC-32: 4379A7A9

Upon execution, this FakeAV malware creates a random folder in Application Data folder of the current user, then it drops a copy of itself to the created random folder using a filename with 4 random characters plus the name "sysguard.exe"
Example: C:\Documents and Settings\winuser\Local Settings\Application Data\cdauwq\hfbesysguard.exe

It creates the following autostart registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{random characters} = {Malware dropped path and filename}

example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
bryeqfww = "C:\Documents and Settings\winuser\Local Settings\Application Data\cdauwq\hfbesysguard.exe"

This malware will then display the following message from windows taskbar.


It will then display a fake Antivirus software scanning in the affected computer.


It also displays a warning message indicating that the affected computer is infected.


Clicking the button "Yes, remove threats" will display the following


Clicking on the "Activate your Antivirus Software" will open an internet explorer that leads to the following url that makes you order the Fake Antivirus using a credit card transaction:
hxxp://platinum-soft.net/purchase?r=%Version%

note: %Version% is the version of the FakeAV malware.


This malware may also display the following image:



This malware is capable of stopping and terminating processes that is executed in the affected computer. Once the user executed any file, it will display a message indicating that process is infected.


This malware may open Internet Explorer to visit 1 of the following url:
-platinum-soft.net
-platinum-soft.microsoft.com
-91.212.127.236
-193.169.13.12
-www.viagra.com
-www.porno.org
-www.porno.com
-www.adult.com

This FakeAV malware also capable of removing files, services, registries and processes which are related to real malwares.
It kills processes and delete its file that contains the following process names:
pp1_.exe
ld__.exe
freddy__.exe
SYSDLL.exe
%sysroot%\DSSAGENT.EXE
regsvr32.exe
dhcp\svchost.exe
regsvr32.exe
dhcp\svchost.exe
%System%\sopidkc.exe
reader_s.exe
antit.exe
Temp\spoolsv.exe
Temp\csrss.exe
Temp\services.exe
nksmnz.exe
CSmileysIM
xpdeluxe.exe
fbtre_.exe
fbtre__.exe
mstre__.exe
mstre_.exe
braviax.exe
AntiVirus_Pro.exe
pav.exe
NetFilter.exe
gamevance32.exe
wmsdkns.exe
gav.exe
SiteRankTray.exe
RegMech.exe
pctsGui.exe
pctsTray.exe
pctsAuxs.exe
WindOptimizer.exe
mdmcls32.exe
cfgmng32.exe
hpoopm__.exe
m3SrchMn.exe
mwsoemon.exe
ALCXMNTR.EXE
PC_Antispyware2010.exe
gamevance32.exe
gamevance32.exe
psystem.exe
tsc.exe
AntivirusPro_2010.exe
rlvknlg.exe

Removing the following services:
dhcpsrv
sopidkc
pctsSvc.exe
sdAuxService
sdAuxService
sdCoreService
websrvx.exe
MyWebSearchService
mwssvc.exe
WinSvchostManager

deletes the following files:
%Startup folder%\ChkDisk.dll
%Startup folder%\ChkDisk.lnk
MWSOEMON.EXE
%System%\wmsdkns.exe

Deletes the following registry key:
HKLM\SOFTWARE\AntivirusPro_2010

deletes the following registry values:
HKCU\Control Panel\dont load "scui.cpl"
HKCU\Control Panel\dont load "wscui.cpl"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

Removes Browser Helper Object (BHO) with following CLSIDs:
{00000250-0320-4dd4-be4f-7566d2314352}
{00A6FAF1-072E-44cf-8957-5838F569A31D}
{07B18EA1-A523-4961-B6BB-170DE4475CCA}
{100EB1FD-D03E-47FD-81F3-EE91287F9465}
{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}
{13197ace-6851-45c3-a7ff-c281324d5489}
{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
{15651c7c-e812-44a2-a9ac-b467a2233e7d}
{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}
{332BE9D8-025A-452e-BF78-A077F9D3F84A}
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}
{38101cce-5999-48eb-815b-d942e1f715c6}
{3937DEA7-2769-ADDF-B533-20E7D249A547}
{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
{4e1075f4-eec4-4a86-add7-cd5f52858c31}
{4E3A97D3-9F15-4067-D0F9-241CC9CC9541}
{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}
{500BCA15-57A7-4eaf-8143-8C619470B13D}
{547395D9-934A-CED6-B851-F238C86079E5}
{549B5CA7-4A86-11D7-A4DF-000874180BB3}
{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}
{5C255C8A-E604-49b4-9D64-90988571CECB}
{5dafd089-24b1-4c5e-bd42-8ca72550717b}
{5E5EFA8F-9F53-418E-B78E-44866667A404}
{5fa6752a-c4a0-4222-88c2-928ae5ab4966}
{622cc208-b014-4fe0-801b-874a5e5e403a}
{63F7460B-C831-4142-A4AA-5EC303EC4343}
{6c517f1e-249d-b518-be84-9995ecc10183}
{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}
{7E853D72-626A-48EC-A868-BA8D5E23E045}
{85661731-3340-E784-488A-D053E986CF73}
{8674aea0-9d3d-11d9-99dc-00600f9a01f1}
{873D5AB4-47F5-401F-B9E0-B14A65D2BB53}
{965a592f-8efa-4250-8630-7960230792f1}
{9c5b2f29-1f46-4639-a6b4-828942301d3e}
{A3BC75A2-1F87-4686-AA43-5347D756017C}
{A57EE9D7-0534-496A-B2B0-E95866D0C1B0}
{A7327C09-B521-4EDB-8509-7D2660C9EC98}
{A77D3539-581D-450C-9E44-A84C415A6172}
{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}
{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}
{C5428486-50A0-4a02-9D20-520B59A9F9B2}
{C5428486-50A0-4a02-9D20-520B59A9F9B3}
{c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{cf021f40-3e14-23a5-cba2-717765728274}
{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
{fc3a74e5-f281-4f10-ae1e-733078684f3c}
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
{ffff0001-0002-101a-a3c9-08002b2f49fb}
{02478D38-C3F9-4efb-9B51-7695ECA05670}
{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}
{CDBFB47B-58A8-4111-BF95-06178DCE326D}
{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
{07B18EA9-A523-4961-B6BB-170DE4475CCA}
{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}
{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}
{BEAC7DC8-E106-4C6A-931E-5A42E7362883}
{CB0D163C-E9F4-4236-9496-0597E24B23A5}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{F64619FF-E19F-4016-BF9C-147CFF821B46}
{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}
{201f27d4-3704-41d6-89c1-aa35e39143ed}
{ee57e883-3ec3-b6db-9f84-3122750c3c02}
{20c3c057-2213-48f9-bd6b-3ce3388e75ee}
{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
{CC3CD2A8-2892-4CC4-A30F-E25921AC65C0}
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
{5CA3D70E-1895-11CF-8E15-001234567890}
{BA603215-23F2-42AD-F4E4-00AAC39CAA53}
{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
{21608B66-026F-4DCB-9244-0DACA328DCED}
{A5DBD8CB-DF8A-4992-A655-B155216F6AFB}
{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}
{3041d03e-fd4b-44e0-b742-2d9b88305f98}


Although this FakeAV malware has capabilities to remove real malwares (which a real Antivirus capabilities), it still poses a fake infection report to the affected computer and asking the user to buy the software product to remove the threats in which may only expose Personal and Credit Card information to the malware writer.

As of this writing (12/26/2009), this FakeAV sample that was found is not yet detected by most legitimate Antivirus software (please click the image below). So beware.



Removal instructions:
1. Open the Search companion by pressing "Windows Start key+F" or Ctrl+F in my computer
2. In the search companion, click on the All files and folders
3. In the "Look in", browse for %root%\Documents and settings
4. Then click on the More advanced options and check the box "Search hidden files and folders"
5. Type the following string to the "All or part of the file name" text box:
*sysguard.exe


6. Then click search.


7. Once found, note the malware path and filename and rename the file to any filename.

8. Restart the computer (or you can logoff and logon so that services will not stop)
9. After restart (or relogon) browse for the renamed malware file, and delete it.


10. To remove the autostart registry, open registry editor or execute regedt32.exe
11. In the left panel, browse for the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
12. In the right panel, locate the data with the same as the noted malware path and filename.
13. Delete the registry value once found.