Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 9: Scareware -- fake antivirus programs, data recovery utilities and like

Antivirus System Pro

News

Strategies of Defending Windows against Malware Recommended Links Scareware -- fake antivirus programs, data recovery utilities and like Introduction to Scareware Zoo
XP Antivirus 2012 Dr Guard Spyware Spyware fighting strategy Humor Etc

Win32/WindowsAntivirusPro is rogue security software that displays deceptive information about the infected system.  Similar Trojans include XP Antivirus 2012 and Dr Guard.

An interesting part of the problem with this malware is that it blocks execution of many programs including programs you try to launch from CD/DVD in a perfect "reverse antivirus" fashion :-). It also uses fake setting in IE proxy configuration, setting proxy to localhost (that means that this malware runs proxy on the computer). In my case the port was 5555. Using this port you actually can detect which program is used as a proxy via netstat.

When the windows screen first appears, hit ctrl-alt-del. This gives you the task manager. Then search for the program with name ending with "guard", for example xylbsguard.exe and kill it.

When you stop this program you combine use of Microsoft Security Essentials tool (free Av tool from Microsoft) with some more specific tool. For example instructions on how remove it Remove Antivirus System Pro (Uninstall Guide), recommend program Malwarebytes' Anti-Malware. It works OK but like virus is difficult to remove ;-)

The key here to understand that you are probably dealing with combination of infections of which Antivirus Pro is just one component which were injected when you his some rogue Web site (often of Eastern European origin). Additional components might include Alureon.F, Hotbar, Renos.KS, Renos.JW, Bravine.A, etc. Of them Alureon looks pretty disturbing:

Win32/Alureon is a family of data-stealing Trojans. These Trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon Trojan may also allow an attacker to transmit malicious data to the infected computer. The Trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the Trojan is removed from the computer.

As Antivirus Pro installs a proxy on the computer after killing *guard.exe process in memory you can run AV programs from a CD.

Of course restoring from a clean Ghost or Maxblast/Acronis True Image  image, is a better way to spend your time then playing Sherlock Holmes with some unknown, probably Eastern European jerks.

Good analysis can be found at:

  1. Encyclopedia entry TrojanWin32-FakeScanti - Learn more about malware - Microsoft Malware Protection Center
  2. Win32-WindowsAntivirusPro Family - CA

Looks like the with signature files dated after February 2012 Microsoft Windows Defender and Microsoft Security Essentials are effective again this malware too.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

Win32-WindowsAntivirusPro Family - CA

Date Published:
21 Aug 2009

Last Updated:
23 Aug 2009

Characteristics

Description

Win32/WindowsAntivirusPro is rogue security software that displays deceptive information about the infected system. It also blocks access to the infected system by terminating processes not included in its predefined list. This trojan is commonly known as "Windows Antivirus Pro".

Method of Infection

To the unsuspecting user, Windows Antivirus Pro appears to be a legitimate program. The image below shows its Graphical User Interface.

Upon execution, Win32/WindowsAntivirusPro drops the following component files:

%System%\dddesot.dll
%System%\desot.exe
%System%\bennuar.old
%System%\sysnet.dat
%Windows%\svchast.exe
%Windows%\ppp3.dat
%Windows%\ppp4.dat
<Path trojan is executed from>\tmp\dbsinit.exe
<Path trojan is executed from>\tmp\images

It also registers its component file SVCHAST.EXE as a service named "AntipPro2009_12"

HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\Type = dword:00000010
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\Start = dword:00000002
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\ErrorControl = dword:00000001
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\ImagePath = %Windows%\svchast.exe
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\DisplayName ="AntipyPro_12"
HKLM\SYSTEM\CurrentControlSet\Services\AntipPro2009_12\ObjectName = "LocalSystem"

Notes: '%Windows%' and %System% are variable locations.

The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32.

The component file DESOT.EXE is used to intercept executable files run on the system. Win32/WindowsAntivirusPro adds the registry keys below to monitor these files:

HKCR\exefile\shell\open\command\@=%system%\desot.exe "%1" %*"
HKLM\SOFTWARE\Classes\exefile\shell\open\command\@=%system%\desot.exe "%1" %*"

It also creates the following registry key as part of its installation:

HKCU\Software\Windows Antivirus Pro

Payload

Blocks Execution of Programs
The component file DESOT.EXE only allows the following files to be executed:
Adds Browser Helper Object
In order to monitor internet browsing activity of the user, Win32/WindowsAntivirusPro registers a component file as a Browser Helper Object (BHO). It adds the following registry keys and names the malicious component "ICQSys (IE PlugIn)":

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}
HKCR\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\@="ICQSys (IE PlugIn)"
HKCR\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\@="%system%\dddesot.dll"
HKLM\SOFTWARE\Classes\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\@="ICQSys (IE PlugIn)"
HKLM\SOFTWARE\Classes\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\@="%system%\dddesot.dll"

Displays Fake Warnings

Win32/WindowsAntivirusPro displays the following fake warnings on the infected system.


For additional information:
Creates Mutex

Win32/WindowsAntivirusPro creates the mutex "234sdfsfsdf___sys23".

Connects to Domains

It connects to any of the following domains:

core2604.racman-xc
core2606.racman-xc
core2611.racingnmn-mnm
core2634.racing-wtf
core2635.racing-wtf
core2617.racingmoney-0110
core2623.racingmoney-0110
core2668.rubimbablo
core2672.rubimbablo
moneyracing.ru

Analysis by Zarestel Ferrer

[Jan 15, 2010] Useful materials


Recommended Links



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017