Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 9: Scareware -- fake antivirus programs, data recovery utilities and like

XP Antivirus 2012

News

Strategies of Defending Windows against Malware Recommended Links Scareware -- fake antivirus programs, data recovery utilities and like Introduction to Scareware Zoo
XP Antivirus 2012 Dr Guard Spyware Spyware fighting strategy Humor Etc

This malware is a variant of extortion business pioneered by Antivirus system pro and XP Antivirus 2008.

If redefines the exe extension so that malware was executed before you execute any program and that serves pretty well as a method of starting this rogue. This method has also a nasty side effect: if you delete this malware "exe handler"  you can't launch programs directly (you can still do it via run as). for many entry level users who read about this malware on the Web site and tried to get rid of it using the instruction given that was a pretty nasty surprise.

One slick trick that you can use is to register this malware using numbers published on some AV sites. If it works you disable those annoying screen that try to scare you about all those non-=existed infection that your PC supposedly has. Many sites suggest that after registration you can delete registry entries that redefine EXE hander. In my experience the latest version of the malware modify login to block this path, but you can try.  Also this redefinitions exists in a half-dozen of places including IE and Firefox (which are able to execute files too) so you need to be careful going this "disinfection" path. 

Again it does not make sense to study this rogue program in more details: restoring the image of C-drive from backup  is much more efficient solution that can be implemented faster (in less then an hour) and it does not depend on the particular malware you are dealing with.

To speed up such recovery you can adopt Dual Partition Windows configuration and move your My Document folder to the second (i.e. D:) partition.

Here are some interesting tidbits of registry entries involed (from Remove XP Security 2012, removal instructions):

Delete registry values:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1' 

Please note that this spyware evolves and that variant that you got infected with might be slightly different (name of executable is three random letter, so in no way you can rely on finding kdn.exe as in example above).


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Sep 10, 2012] How Two Scammers Built an Empire Hawking Sketchy Software Wired Magazine Wired.com by Benjamin Wallace

Before they built an international underworld empire — before they weaseled their way onto millions of computers, before their online enterprise was bringing in hundreds of millions of dollars a year, before they were fugitives wanted by Interpol — Sam Jain, now 41, and Daniel Sundin, 33, were just a couple of garden-variety Internet hustlers. The two, who met around 2001, started out with a series of relatively modest scams and come-ons. Capitalizing on post-9/11 paranoia, Jain sold anti-anthrax gas masks. Exploiting the anxieties of aspiring non-English-speaking immigrants, he helped run a green card lottery site that tricked applicants into paying for an INS form that the government provides for free. Together, the two men sold gray-market or counterfeit versions of popular software. They marketed all these dodgy ventures with a mix of hyperaggressive tactics, including classic black hat tricks like “browser hijacking” and “typo-squatting.” But Jain and Sundin weren’t technological wizards; they didn’t break into their marks’ computers or steal their credit card numbers. Instead, they were masters of social engineering who got people to hand over their money willingly. The work was lucrative enough that Jain and Sundin could afford to hire programmers, designers, and emarketers. Still, their approach was unfocused — and exhausting.

Then, in August 2003, Jain and Sundin had a breakthrough thanks to the arrival of the so-called Blaster worm. Blaster quickly compromised hundreds of thousands of machines, making it one of the fastest-spreading pieces of malware ever. The worm also prompted an unprecedented consumer panic: Some 40,000 computer users called Microsoft for support during the first four days of the epidemic. Jain and Sundin had built a small empire dedicated to exploiting people’s fears — of bioterrorism, for instance, or deportation. Here was a threat that menaced almost everyone with a PC, which meant a vast potential audience for their manipulative online ad campaigns. Jain and Sundin — now working through a company they called Innovative Marketing Inc., or IMI — merely had to use the fear of computer viruses to sell antivirus software.

Coincidentally, Sundin had already written some firewall software called Computershield. It wasn’t as effective as mainstream antivirus programs, but it didn’t have to be; the genius would be in the sales pitch. After rebranding it WinAntiVirus, IMI began buying pop-up ads that blared fake alerts about problems on users’ hard drives — for example, “You have 284 severe system threats.” These ads prompted customers to download a free trial or pay $39.95 and up for IMI’s subpar software.

Once installed, the trial versions pumped yet more ads into the user’s web browser, pestering people to shell out the full price. It was a deeply ironic scheme: Jain and Sundin planned to exploit consumer fears of viruses in order to spread what was, in effect, another virus — and the victims would pay for the privilege.

THE NUMBER OF PHONY ANTIVIRUS PROGRAMS HAS EXPLODED WORLDWIDE

Source: Panda Security

The plan worked. People were so spooked by the Blaster worm, a coworker would later recall, that Jain boasted he could be selling “a block of ice” and still make money. Soon, IMI on their new cash cow. IMI had found its killer app.

Over the next few years, imitators sprang up. Soon, computer users were besieged by terrifying alerts from all kinds of purported antivirus software vendors. This genre of software, widely called scareware, has become the Internet’s most virulent scourge. By 2009, an average of 35 million computers were being infected by scareware every month, according to a study by software developer Panda Security. “Scareware is still the most promising way of turning compromised machines into cash,” says Dirk Kollberg, a senior threat researcher at security firm Sophos.

And until recently, IMI was the Google of scareware, exploding over just a few years from a small group of housebound hackers into an international juggernaut, a sophisticated enterprise with hundreds of employees and offices on four continents.

It had telephone support centers in Ohio, Argentina, and India and marketed its products under more than 1,000 different brands and in at least nine languages. From 2002 to 2008, IMI brought in hundreds of millions of dollars in profit.

[Sep 10, 2012] Some Internet scammers DO get caught by Kristin Samuelson

Judging from appearance of XP Antivirus 2012 there were not caught. Just went underground.
May 27, 2010 | Chicago Tribune
Some Internet scammers DO get caught

By Problem Partner Kristin Samuelson | For those of us who have fallen prey to Internet scams or malicious software, we feel like there are no repercussions for those who scammed us. It turns out scam artists don't always get away scot-free.

On Wednesday, a federal grand jury in Chicago indicted three men on charges that accused them of "conning people in more than 60 countries into buying $100 million in bogus software by convincing them their computers were infected by malicious programs," according to a May 27 Associated Press story.

The Federal Trade Commission first filed a complaint against these scam artists on Dec. 2, 2008. A Dec. 10, 2008 FTC press release explained that in response to the complaint, "a U.S. district court has issued a temporary halt to a massive 'scareware' scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus."

(Read a previous Problem Solver blog post on the top 10 scams of last year here)

The three men indicted on Wednesday were 26-year-old James Reno of Amelia, Ohio; Bjorn Daniel Sundin, a 31-year-old Swedish citizen who is believed to be living in Sweden; and Shaileshkumar Jain, a 40-year-old American who is believed to be living in the Ukraine. None of the men are in custody.

"The indictment says Jain and Sundin sold a pieces of bogus software through their company, Innovative Marketing Inc," the AP story said. "Reno is accused of running call centers for Innovative Marketing."

Read the full AP story below:

Three men have been indicted on federal charges that accuse them of conning people in more than 60 countries into buying $100 million in bogus software by convincing them their computers were infected by malicious programs.

A federal grand jury in Chicago returned indictments Wednesday against 26-year-old James Reno of Amelia, Ohio, and Bjorn Daniel Sundin and Shaileshkumar Jain.

Sundin is a 31-year-old Swedish citizen believed to live in Sweden. Jain is a 40-year-old American authorities believe is in the Ukraine.

"These defendants allegedly preyed on innocent computer users, exploiting their fraudulently induced fears for personal gain," Robert D. Grant, the special agent in charge of the FBI's Chicago office, said in a news release.

While authorities say they expect Reno to turn himself in at some point, none of the three are in custody. U.S. Department of Justice spokesman Randall Samborn declined to discuss when Reno will turn himself in or how authorities plan to pursue Sundin and Jain.

There was no immediate response to messages left by The Associated Press on Thursday at a telephone number listed for James Reno in Amelia, Ohio.

Jain, Sundin and others used a company they incorporated in Belize called Innovative Marketing Inc. and a series of fictitious advertising agencies to place fake ads on legitimate Web sites from December 2006 through October 2008, the indictment says.

The ads contained hidden computer codes that redirected browsers on any computer used to view the ads to Web sites that would display error messages — known as scareware — telling users their computers were infected with malicious software. Computer users were prompted to use their credit cards to buy Innovative Marketing software with names such as "DriveCleaner" and "ErrorSafe" for anywher from $30 to $70, authorities said.

The money, according to the indictment, was deposited in bank accounts around the world.

The indictment charges Sundin and Jain each with 24 counts of wire fraud, and Reno with 12 counts of wire fraud. Each also was charged with one count of conspiracy to commit computer fraud and computer fraud.

Each wire fraud count carries a maximum sentence of 20 years in prison and a $250,000 fine, plus restitution and further potential fines based on the money lost by victims.

The indictment also seeks the forfeiture of about $100 million and all money held in an account at Swedbank located in Kiev, Ukraine.

[Sep 11, 2012] Anatomy of a malware scam • by Jesper M. Johansson

This is a free whitepager, but Register.com requires registration. Version provided here does not include any images.
August 22, 2008 | Reg Whitepapers

The evil genius of XP Antivirus 2008

Anyone who has a blog has probably seen blog spam; comments to the blog that simply try to entice people to go to some other site. Most of the time the site being advertised is simply trying to boost its search engine rankings to generate more ad revenue.

The more links there are to a site, the more popular the search engines figure it is, and the higher up in the search results it ends up. Blog spam, therefore, is frequently thought to be a good way to boost the search engine rankings. In some cases this turns malicious. Some sites engage in wholesale intellectual property theft to boost their rankings.

A few of weeks ago, however, I started noticing something far more insidious. I moderate all comments to my blog. This is something I started years ago to keep the blog somewhat family friendly, and to avoid propagating malicious content. Recently I also completely disabled trackbacks to avoid boosting the search engine rankings for sites that steal my work. This means I see every comment that comes into my blog. The other day I noticed one that contained nothing more than a link to a fake Google site: google-images. google-us.info/index.html.

This looked very suspicious to me so I made a note of it. Over the next several weeks I noticed a lot more of these, not only pointing to Google but also to Yahoo and MSN. The servers they pointed to all had the same basic structure, such as google-homepage.google-us.info, msn-us.info, yahoo-us.info, etc. Every one resolves to the same IP address: 124.217.253.8. That IP address is registered to Piradius.net in Singapore. The server appears to be hosted out of Kuala Lumpur. The domains, however, are registered in Ukraine:

Domaintools.com confirms this. You will soon see a related domain, xpantivirus.com. That one is registered to Chebotarev Oleksandr, in Odessa, Ukraine. This had me very curious and I wanted to know more about what this site was attempting to achieve. Consequently, I fired up a virtual machine and started investigating. What I found was an interesting tale of trickery.

The First Hint

The first thing a potential victim would do is open up one of the sites. For my tests I used www.msn-us.info. I did my initial test on Windows Vista. After various trickery, I got the dialog in figure 1.

Notice the chrome in Internet Explorer. My virtual machine is running Windows Vista. The popup, however, has the XP chrome. As it turns out, the popup is not a popup at all. The whole page is just one image, hyperlinked to a file download. I must give the criminals here credit for graying out the background to lend it credibility; a la Vista User Account Control (UAC).

One of the questionable benefits of UAC is that it has conditioned people to believe that as long as the screen background is grayed out they can trust whatever is on the screen.

Before the popup in the screen shot there was actually another one too. That one was an animated GIF that looked like it was performing a virus scan of your computer. Needless to say, it found several pieces of fake malware on my computer, hence the dire warning in the fake popup.

If this looks suspicious to you, it should.

We are not on www.msn-us.info. We are on virus-securityscanner.com. When you go to any of the sites that are linked in the blog comments you download a few files, and then it redirects you to http://virus-securityscanner.com/2008/3/freescan.php?aid=880421, where the last part is some form of identifier that we will return to shortly.

Similar sites to this one have been reported at least as far back as 2003. The modus operandi does not change, although the exact details of what the sites do seem to. It appears likely that these sites are all related and that there are multiple fronts for them. Virus-securityscanner.com appears to be hosted at an ISP in Pennsylvania at the time of this writing, but that is likely to change by the time you read this. In fact, between the time I started researching this and the time I wrote the article, the site name had changed to virus-onlinescanner.com.

Workflow Step by Step

At this point I was sufficiently curious to walk through the work-flow step by step. You may enjoy what I discovered. Starting from the beginning, when I first went to www.msn-us.info I received the warning in Figure 2.

It is quite nice of them to warn me about malware. It’s also nice that they are offering to solve all my problems for free. Note also that I repositioned the dialogs in Figure 2 so you can better see what is happening. Without doing that the very small web browser window is actually hidden behind the dialog to make it look as if the dialog is coming from your computer, not a web page. If you click “OK” in figure 2, you get figure 3. If you click cancel, it just goes directly to a download for a fake anti-malware program.

The warning in figure 3 just lets you know that you are about to download something. Obviously the criminals are well aware that users are incredibly desensitized to warnings and the more warnings they get, the less they pay attention to them. Click OK in that warning, and you get the page in Figure 4.

Figure 4 is the same as Figure 1, but this time with the proper chrome as this virtual machine was running Windows XP. It turns out that the malware actually failed to install on Windows Vista (no, I did not file a bug with the authors to get that fixed), so I went back to Windows XP for my testing.

The page in Figure 4 is mostly just a composite of several images. The scan itself is a javascript that draws the progress bar. The file list that it iterates through when it performs the fake scan is a list of 1,100 names in a

Figure 1: The site issues a redirect to a different site

Figure 2: Initial warning

file called fileslist.js. That file also contains the 14 fake pieces of malware that it “discovers.”

The warning dialog itself is a GIF image called popup3. gif. Virtually all areas of the page, including popup3. gif, are linked through an on-click event to a function called onloadExecutable(), which looks like this:

function onloadExecutable()

{

dat=new Date(1214372723);

var dlth=dat.getHours()-dat.getUTCHours();

rrc = 1;

location.href=”../_download. php?aid=880421&dlth=”+dlth;

};

This function does nothing more than trigger a download by setting the location of the browser to a script that initiates a download. The use of this design makes it harder to track down what they are doing since most forensics tools, such as wget, do not execute javascript. The objective, however, is quite clear: you are prompted to download something. The aid parameter is going to be appended to your download name as a version number. The time parameter does not seem to be used at all.

One very interesting behavior of popup3.gif is that the fake close button is actually linked to a special warning. If you click that button, you get the warning in Figure 5.

If you click OK in Figure 5 it runs the onloadExecutable() function. If you click cancel or close it throws another warning, shown in Figure 6. That warning will run onloadExecutable() no matter what you do; whether you click the OK button or the red X to close it.

Figure 6 Closing that warning brings up one that gives you no options

Therefore, no matter what you do, you will be prompted to download a file. The file is:

http:// virus-securityscanner.com/2008/download/XPantivirus2008_v880421.exe.

The v880421 part of the file is a fake version number which bubbled all the way from the original page. It does not seem to change very frequently. However, I tried a few hundred different numbers surrounding 880421 and most resulted in a valid download. Disturbingly, they all seem slightly different. It is possible that download.php runs the file through an obfuscator, but more than likely they have a few hundred different obfuscated versions of the same malware sitting on the server.

After downloading the file, I sent it to virustotal.com, a site that scans files on demand using a large number of reputable commercial anti-malware engines. The results varied a little depending on the day I tried it and which version of the file I sent them. For example, on June 24, only GData and Kaspersky detected the current version as malware. A version just a day older was also detected as malicious by AntiVir, eSafe, Sophos, and Webwasher-Gateway. The actual malware contained in the file is the Trojan-Downloader.Win32.FraudLoad. gen downloader trojan

Figure 3: The malware is independently certified

Figure 4: Fake Scan Results

Figure 5: Closing one warning brings up another

Figure 6: Closing that warning brings up one that gives you no options

Installing the Malware

The malware is actually quite well written, looking very professional. The installer starts out with a notification shown in Figure 7. It includes what appears to be a Windows compatibility logo, fake of course, and has a link to the terms and conditions.

The terms and conditions also look very professional. A snippet is shown in Figure 8.

The license agreement looks about like what you would expect from commercial software. Interestingly, however, it seems exclusively focused on the website, not on the software you are trying to install. It even tries to restrict how you can provide links to their site. That alone should be a reasonable hint, providing anyone actually ever reads license agreements.

The agreement also provides a link to the support site for the malware. A portion of the help file is shown in Figure 9.

Once you know this is malware, the help site is almost comical. It has information about bug reporting, conspicuously lacking an actual method to submit bug reports. It makes it clear how much you will be charged to install the malware, and even uses the boilerplate language about how safe it is to submit your credit card to them because no criminals will be able to read the encrypted transmission; until it reaches the criminals who asked for it, of course. There is even a link to an online support forum, shown in Figure 10.

The support forum looks well done, with mostly well designed graphics and the requisite list of cryptic malware names you find in the support forums for all anti-malware software. This list of malware is, of course, fake. However, it gives a nice view into what other sites might be associated with the same gang of criminals. Antispywareboss.com, antivirus-2008-pro. com, securityscannersite.com, winantispyware2008. com, and xpsecuritycenter.com are just some of the sites advertising solutions to W32.Trojan.Downloader.s. In fact, 411-spyware has a thread on that particular fake threat (http://www.411-spyware.com/remove- w32-trojan-downloader-s).

Figure 7: The installer looks very professional

Figure 8 The malware comes with terms and conditions

Figure 9: The malware has everything, including a help site

Figure 10: The malware has a support forum

Sending Your Money to the Bad Guys

If you chose to actually pay for the software you will be directed to https://secure.software-payment. com. That site is hosted out of Bridgetown, Barbados. According to several websites, software-payment. com appears to be a bit of a favorite among those pushing fake anti-malware. This forum thread has a list of other fake anti-malware that used it for their billing services.

The software costs $49.95, as shown in Figure 9. However, when you try to register it you are also offered an upgrade to File Shredder 2008, for only $39.95. It is not clear whether that upgrade destroys your data only locally, or whether, for that fee, the bad guys will destroy your data securely on their own servers after they use it to steal your identity and your money. You may also add premium support for $24.95.

What it installs

The first thing you will notice after installation is that you are presented with the Windows Security Center, shown in Figure 11; except that it actually is not the Windows Security Center.

Figure 11 shows a fake Windows Security Center. It looks very much like the real thing, shown in Figure 12 on the same computer, at the same time, for comparison purposes. Note that the real one does NOT detect the malware as a legitimate anti-virus program. The primary differences are twofold. First, the recommendations link in the fake one is linked to a dialog that will try, once again, to make you purchase the fake anti-malware. In the real one, it links to a help document explaining how to obtain anti-malware software.

The fake Windows Security Center also has a list of resources on the left hand side. However, all of them are linked to documents that entice you to pay for the malware. In the real one they link to real help files. It is likely that the criminals created the fake Windows Security Center so they could control exactly what you saw when you clicked on anything in it and link it to the ubiquitous purchase screen. The real Windows Security Center is still present on the computer. Notice the Control Panel in Figure 13.

The real Windows Security Center is the one called just “Security Center” in the Control Panel. The fake one is the one called “Windows Security Center.” In addition, the fake one identifies itself as “Windows Security Center” in the system tray. The real one identifies itself as “Security Alerts.” It is probably safe to say that most users would be hard pressed to conclude that the real one was not the one called “Windows Security Center.” Once again, it is a matter of telling real from fake, and in this case, unfortunately, the real thing, while there, is not very good at identifying itself as the real thing consistently.

Figure 11: Fake Windows Security Center

Figure 12: Real Windows Security Center

Figure 13: Fake Windows Security Center in the Control Panel

If you leave the computer alone for a few minutes you will eventually get the first of many many popups of various kinds, shown in Figure 14.

The warning in Figure 14 is yet another attempt at getting you to send your money to the criminals. If you click the “Remove all threats now” button it will take you to a purchase screen. Interestingly, the “Continue unprotected” button does not take you there, breaking with the previous history. If you use that button you will start getting system tray popups. An example is shown in Figure 15.

The malware uses several different system tray warnings. Another one is shown in Figure 16.

Interestingly, while virtually everything else the malware has shown us so far has been in flawless English, the system tray popups have grammatical mistakes and missing prepositions. More than likely this is indicative of collusion within a criminal gang to create the malware. The software and all the associated collateral is far too complex to be written by a single person in a reasonable time, so the source is likely a gang. The individual that wrote the system tray popups apparently did not receive the grammar tutorial the others did. Or, maybe, the system tray popups just were not part of the user acceptance testing plan.

Figure 14: The first of many warnings

Figure 15: One of several different scary looking system tray warnings

Figure 16: Another system tray warning

At regular intervals you also get a strange corner popup, shown in Figure 17.

The corner popup also shows up in the region of the system tray but is just a window. It has an “Update Now” button that takes you to the purchase site. Once again, the malware is specifically designed to entice you to pay for it.

The application itself looks reasonably good. Figure 18 shows the main application window during a “scan.”

If you compare Figure 18 to your average legitimate anti-malware suite you would probably be inclined to agree that this looks perfectly legitimate to most people. It finds bad stuff, which is good, and the bad stuff is sufficiently scary sounding to make me want to get it removed, even if it costs me $49.95, plus the File Shredder 2008 license. Just in case that was not enough to entice me to purchase the malware, however, we also have the system status screen in Figure 19, which is designed to frighten you into compliance. By now you can probably guess where the “Update Now” button goes. There are at least four buttons in Figure 19 that lead to the “send us your money now” website. One can only marvel at how much better the criminals are at separating you from your money than the legitimate anti-malware vendors.

Interestingly, in my testing, the malware did not actually take any malicious action beyond what I have documented here. I did not detect any attempts at stealing data, at installing additional malware, or at remote control. This could be for several reasons. The purpose may just be to get some of your money, and maybe a credit card number. Alternatively, it may be that the software is time-triggered to make it harder to analyze. Most analysts do not have the luxury to let it run continuously for weeks whereas the bad guys can easily wait that long for the payout. Finally, the software may include detection logic to discover that it is running in a virtual machine, causing it to forego some of the malicious actions it otherwise would. Such logic is becoming more common in malware as it makes it far more difficult for researchers to analyze the software.

Figure 17: A corner popup

Figure 18: A scan of your system obviously finds many fake infections

Figure 19: The System Status screen is designed to be scary

Detection by Legitimate Software

As a final experiment I decided to see if I could remove the malware, or at least detect it, with legitimate anti- malware software. At first I attempted with the recently updated Microsoft Malicious Software Removal Tool (from June 24, 2008, the most recent available at the time I wrote this). It failed to detect the software.

Fortunately, other anti-malware software did detect it. Figure 20 shows the warning from AVG Free when you attempt to open the Control Panel applet. AVG Free also threw a similar warning when I downloaded the installer.

AVG also detects the other vectors installed by the malware and very efficiently removes them for you, as shown in Figure 21. I did not test with any other anti- malware software. As the test results on Virus Total showed, the malware would probably be missed by at least some legitimate anti-malware software.

Figure 20: AVG Free detects the malware on open

Figure 21: AVG Free removes the malware

Conclusion

This type of malware is very, very disturbing. One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.

This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs.

No website should ever offer you to download an anti-malware package as soon as you visit the site. Any site that purports to do so is either run by criminal gangs or by an organization whose business practices are so deceptive that you should never consider doing business with it. A reputable site will present you with product information and then leave the downloading decision up to you, not force it upon you. No software that pushes the purchase decision so heavily in your face is likely to be legitimate.

Finally, learn just a little about how your computer looks normally so you can detect changes. The fake Windows Security Center is a very nice touch that could fool almost anyone except who doesn’t pay attention to what the real one looks like and is called.

As for your anti-malware software, yes you need it. We all really do, at least on some computers. Advocating that you should stop using anti-malware software is irresponsible. If people were to actually take that advice, we would be overrun with malware in short order. You should definitely have anti-malware software on any computer that may come into contact with untrusted data and software.

However, do not just pick software because it tells you do pick it. Stick to the trusted brand names when it comes to anti-malware. And, if you get a download shoved down your computer when you visit a website, head over to Virus Total and submit it for a scan. If it proves malicious, they will submit it to the anti-malware vendors for you.

Jesper M. Johansson is a Software Architect working on security software and is a contributing editor to TechNet Magazine. He holds a Ph.D. in Management Information Systems, has more than 20 years experience in security, and is a Microsoft Most Valuable Professional (MVP) in Enterprise Security. His latest book is the Windows Server 2008 Security Resource Kit.

[Jul 18, 2011] Remove XP Antispyware 2012, XP Internet Security 2012 (Uninstall Guide)

They suggest that after registration you can delete registry entry. In my experience the latest version of the program modify login to block this path, but you can try. Again restoring the image of C-drive from backup is more efficcint solution that can be implemented faster and with less trouble

You can use one of these serials 1147-175591-6550 or 2233-298080-3424 to register the rogue application in order to stop the fake security alerts. Just click the Registration button and then select "Activate manually".

... ... ...

Copy all the text in blue color below and paste to Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"


Save file as fix.reg to your Desktop. NOTE: (Save as type: All files).

Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.

Anonymous:

the key 1147-175591-6550 is invalid!!!!!

Anonymous:

Keep in mind the "activation" key may not work. It did not for me.

However, I killed the process by using going into task mgr. The process on my pc was ghq.
It may pop up again, however, keep killing it.

other than that, these steps worked!

Thanks!

[Jul 17, 2011] Remove XP Antivirus 2012, removal instructions

They mention kdn.exe process, but the name can be any combination of three letters. Also registry keys mentions does not correspond those that I observed.
XP Antivirus 2012 is a deceptive and quite sophisticated rogue anti-spyware program which applies the basic tricks of scams from this category. Though it declares to be a powerful virus remover, keep in mind that this program is the only one that needs to be eliminated because it reports invented viruses. To be more precise, XP Antivirus 2012 firstly will create numerous harmless files that it will drop in the infected computer’s system. Then this scam will pretend to scan your computer and immediately will report numerous viruses that in reality are nothing else but these earlier created files. Some of its alerts may state about Trojan-BNK.Win32.Keylogger.gen threat for making you scared to death and push into purchasing its license which will be offered additionally. Pay attention to the fact, that XP Antivirus 2012 is dangerous and has nothing to do with computer’s protection!

XP Antivirus 2012 program has been manipulating people into believing it is useful software. However, this rogue anti-spyware mostly penetrates into a random computer system without the user’s knowledge and approval and opens the backdoor of the system to let more threats or allow the scammers to reach your personal information. All this is done with a help of Trojans that infect vulnerable systems through fake video codecs and flash updates. As you can see, you should not believe XP Antivirus 2012 and its spyware detection reports as they are fabricated and have in fact nothing to do with the true condition of machine. Don’t buy this software though it will definitely promise to fix your computer, but remove XP Antivirus 2012.


Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Remove Win 7 Antispyware 2012 and Vista Antivirus 2012 name changing rogue (Uninstall Guide)

remove-win-7-antispyware-2012

Remove XP Security 2012, removal instructions

FTC v. Innovative Marketing, Inc., et al - Complaint

mf_scareware



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017