Categorized | Virus Alerts

Fake Antivirus case analysis

One of previous DHL scam campaign propagated downloader in ziped attachement named DHL_label_NR1156.exe.


Collected Name: DHL_label_NR1156.exe
SIZE: 41984 bytes
MD5: f71d48a86776f8c0da4d7a46257ff97c

After execution malware copies itself as incognito.exe into %system% folder.

Downloader then gets two binaries named exe0.exe and dll.dll and installs them into system.


Collected Name: exe0.exe
SIZE: 33280 bytes
MD5: c0ed88ccdc920a951f750c53b21996a1
Packer: Thinstall

This binary is copied to %system% folder as smss32.exe and is executed.

After execution, the wallpaper is changed by the figure below:
Pic01
Due to fact that malware modifies these Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetActiveDesktop

The change of this wallpaper is blocked to the user, as shown in the next figure:
Pic02

After a while, a message pops-up to the user, alerting an infection:
Pic03

As the malware runs, it verifies if the file smss32.exe is in “C:\Windows\system32”, inserting it in the registry in order to execute this file in init and logon. There are some excerpts below showing registry changes to be done by the malware.Pic04
This change in logon is done to show an alert when userinit.exe is executed. The alert message shown before MS Windows starts is:
Pic05
If the user tries to open some Windows applications as calc.exe, cmd.exe or “Microsoft Word”, all of them quit unexpectedly with the following message, indicating a loss of functionality:
Pic06

Full list of affected applications follows:
"calc.exe"
"notepad.exe"
"control.exe"
"WINWORD.exe"
"WinRAR.exe"
"winmine.exe"
"vmware.exe"
"uTorrent.exe"
"notepad.exe"
"msconfig.exe"
"thebat.exe"
"taskmgr.exe"
"spider.exe"
"sol.exe"
"sndvol32.exe"
"Skype.exe"
"wupdmgr.exe"
"GoogleEarth.exe"
"chrome.exe"
"MsnMsgr.Exe"
"EXCEL.exe"
"WINWORD.exe"
"word.exe"
"POWERPOI.exe"
"RealPlayer.exe"
"skypePM.exe"
"regedit.exe"
"RegCloneCD.exe"
"RecordingManager.exe"
"POWERPNT.exe"
"PokerStars.exe"
"pinball.exe"
"Photoshop.exe"
"OUTLOOK.exe"
"OIS.exe"
"nfs.exe"
"NeroExpressPortable.exe"
"Nero.exe"
"MSWorks.exe"
"mspaint.exe"
"msmsgs.exe"
"msimn.exe"
"mshearts.exe"
"mplayer2.exe"
"mplay32.exe"
"moviemk.exe"
"miranda32.exe"
"Illustrator.exe"
"Icq.exe"
"hrtzzm.exe"
"GOM.exe"
"FullTiltPoker.exe"
"freecell.exe"
"shvlzm.exe"
"RWipeRun.exe"
"RwcRun.exe"
"PowerDVD.exe"
"LA.exe"
"setup_wm.exe"
"winamp.exe"
"windvd.exe"
"realplay.exe"
"WindowsAnytimeUpgradeUI.exe"
"sidebar.exe"
"tvp.exe"
"AdvancedDVDPlayer.exe"
"QuickTimePlayer.exe"
"digitaleditions.exe"
"cmd.exe"
"CloneCD.exe"
"rstrui.exe"
"AcroRd32.exe"
"wmplayer.exe"
"mplayerc.exe"
"AdvancedDVDPlayer.exe"
"QuickTimePlayer.exe"
"userinit.exe"

If there is no process that matches the malware list, an error occurs:
Pic07
After the error message, this malware sample tries to execute two binaries in sequence: IS2010.exe and IS15.exe, respectively.
IS15.exe creates links to a fake antivirus (Internet Security 2010), whose homepage was used to host binaries needed by this malware and there were also some advertisements related to buying the fake antivirus. The main homepage was shown below:
Pic08
If a user clicks the “Download now!” button, there is a form to be filled with personal information, as well as credit card information.
Pic09
The main DLL used was helper32.dll, which is the downloaded file dll.dll renamed by the malware.

The DLL component works as a network wrapper filtering some URLs and forwarding the user to an alert about an infection in the machine and providing access to the malware antivírus.

This malware supports the following browsers:
Firefox
Internet Explorer
Flock
Opera
Safari

Below, the list of sites blocked by the malware:
facebook.com
youtube.com
myspace.com.live.com
craigslist.org.wikipedia.org
ebay.com.blogger.com
amazon.com
twitter.com
go.com
bing.com.flickr.com
wordpress.com
photobucket.com
weather.com
nytimes.com
pornhub.com
mapquest.com
foxnews.com
hulu.com
livejasmin.com
youporn.com
digg.com
adultfriendfinder.com
mywebsearch.com
rapidshare.com
redtube.com
ask.com
tube8.com
linkedin.com
thepiratebay.org
xvideos.com.godaddy.com
mozilla.com
guardian.co.uk
imageshack.us
livejournal.com
washingtonpost.com
monster.com
bbc.co.uk.bebo.com

When the victim tries to access one of those sites, he receives an alert in an HTML page different from the requested one:
Pic10

AVG detects all malware samples mentioned in this analysis.

(Thanx to Diego Bassani de Souza)

Read more here: AVG | Top Threats
AVG Internet Security - Tough on threats.

Tags |

Comments are closed.

Advertising information
antivirus protection AVG AVG virus alert CA Computer Associates ESET F-Secure Kaspersky malware news Panda reviews software Sophos spyware Symantic test Trend Micro virus ZoneAlarm

 

February 2012
M T W T F S S
« Feb    
 12345
6789101112
13141516171819
20212223242526
272829  

Archives

Related Sites

Recent Posts

Advertising information