Fake AV - Security Tool

Trojan downloader.

http://www.virustotal.com/analisis/c962c407bd773325b9614ed37983066898de65834a18798dd9ab5af06c1d6cbd-1266220848



Written on CodeGear RAD Studio v12.0.3420.21218 by Russian crapware script-kiddies. Comming as video codec package.

While installing prints a lot of messages to the debug output

00000000    0.00000000    watchdog!WdUpdateRecoveryState: Recovery enabled.   00000001    27.91488457    [1120] VCLFixPack patch installed: AppDeActivateZOrderFix     00000002    27.91506958    [1120] VCLFixPack patch installed: PageControlPaintingFix     00000003    27.91527176    [1120] VCLFixPack patch installed: GridFlickerFix     00000004    27.91547203    [1120] VCLFixPack patch installed: SpeedButtonGlassFix     00000005    27.91567039    [1120] VCLFixPack patch installed: DBNavigatorFix     00000006    27.91577530    [1120] VCLFixPack patch installed: StringBuilderFix     00000007    27.91599846    [1120] VCLFixPack patch installed: CancelHintDeadlockFix     00000008    27.91612434    [1120] VCLFixPack patch installed: CDSDataConvertFix     00000009    31.80923271    [1260] VCLFixPack patch installed: AppDeActivateZOrderFix     00000010    31.80936241    [1260] VCLFixPack patch installed: PageControlPaintingFix     00000011    31.80956459    [1260] VCLFixPack patch installed: GridFlickerFix     00000012    31.80982399    [1260] VCLFixPack patch installed: SpeedButtonGlassFix     00000013    31.81003571    [1260] VCLFixPack patch installed: DBNavigatorFix     00000014    31.81013680    [1260] VCLFixPack patch installed: StringBuilderFix     00000015    31.81027412    [1260] VCLFixPack patch installed: CancelHintDeadlockFix     00000016    31.81040764    [1260] VCLFixPack patch installed: CDSDataConvertFix

Display a lot of popups from tray icon about viruses, trojans etc found on computer. After reboot blocks processes startup.

GUI



Immediately detections



New databases found! (on PC disconnected from any kind of network)



Control panel blocked



Strings recovered from unpacked executable.

SOFTWARE\Borland\Delphi\RTL kernel32.dll Software\CodeGear\Locales Software\Borland\Locales Software\Borland\Delphi\Locales WARNING! successfully installed! Crytical Error! Unable to find resource for winlogon.exe Resource ID is 0x40001213 exit hxxp://supportwebcenter.com/ open disabled IEFrame MozillaUIWindowClass iexplore.exe firefox.exe wscntfy.exe shutdown.exe avcheck.exe wuauclt.exe soft_cleaner.exe %PROCESSNAME% %VIRUSNAME% jjjj jjjj Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) http:// ffid= Unknown Windows NT 3 Windows NT 4 Windows 95 Windows 98 Windows ME Windows 2000 Windows XP Windows 2003 Windows Vista Windows Seven Progman Control Panel\Desktop Wallpaper _Wallpaper .exe Software\Microsoft\Windows\CurrentVersion\Run Key Language Count .ini .bat :try del " if exist " " goto try reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v cmd.exe /c start .exe /install exit open .exe .ini &sts= Key Language Count .ini .lnk Software\ Key Grep Count AutoRun MinRun AutoScan Language Privacy Update Guard Software\ localhost inspectguide.com _www.billingsoftwaresite.com

Used Delphi modules

st_new [MainUnit]   OleServer [ImplicitUnit]   Variants [ImplicitUnit]   VarUtils [ImplicitUnit]   Windows [WeakUnit, OrgWeakUnit]   Types [ImplicitUnit]   SysInit   System   SysConst [ImplicitUnit]   SysUtils [ImplicitUnit]   Character [ImplicitUnit]   RTLConsts [ImplicitUnit]   Math [ImplicitUnit]   StrUtils [ImplicitUnit]   ImageHlp [ImplicitUnit]   Controls [ImplicitUnit]   DwmApi [ImplicitUnit]   UxTheme [ImplicitUnit]   SyncObjs [ImplicitUnit]   Classes [ImplicitUnit]   ActiveX [ImplicitUnit]   Messages [WeakUnit, OrgWeakUnit, ImplicitUnit]   TypInfo [ImplicitUnit]   CommCtrl [WeakUnit, OrgWeakUnit, ImplicitUnit]   Themes [ImplicitUnit]   Graphics [ImplicitUnit]   Consts [ImplicitUnit]   Registry [ImplicitUnit]   IniFiles [ImplicitUnit]   Forms   StdActns [ImplicitUnit]   ComCtrls [ImplicitUnit]   CommDlg [WeakUnit, OrgWeakUnit, ImplicitUnit]   ShlObj [WeakUnit, OrgWeakUnit, ImplicitUnit]   UrlMon [WeakUnit, OrgWeakUnit, ImplicitUnit]   WinInet [WeakUnit, OrgWeakUnit, ImplicitUnit]   RegStr [WeakUnit, OrgWeakUnit, ImplicitUnit]   ShellAPI [WeakUnit, OrgWeakUnit, ImplicitUnit]   ComStrs [ImplicitUnit]   Printers [ImplicitUnit]   WinSpool [WeakUnit, OrgWeakUnit, ImplicitUnit]   ActnList [ImplicitUnit]   Menus [ImplicitUnit]   ImgList [ImplicitUnit]   Contnrs [ImplicitUnit]   GraphUtil [ImplicitUnit]   ZLib [ImplicitUnit]   ListActns [ImplicitUnit]   StdCtrls [ImplicitUnit]   ExtCtrls [ImplicitUnit]   Dialogs [ImplicitUnit]   HelpIntfs [ImplicitUnit]   MultiMon [ImplicitUnit]   Dlgs [WeakUnit, OrgWeakUnit, ImplicitUnit]   WideStrUtils [ImplicitUnit]   ToolWin [ImplicitUnit]   RichEdit [WeakUnit, OrgWeakUnit, ImplicitUnit]   Clipbrd [ImplicitUnit]   FlatSB [ImplicitUnit]   Imm [WeakUnit, OrgWeakUnit, ImplicitUnit]   OleConst [ImplicitUnit]   ComObj [ImplicitUnit]   ComConst [ImplicitUnit]   OleCtrls [ImplicitUnit]   AxCtrls [ImplicitUnit]   StdVCL [ImplicitUnit]   pngimage [ImplicitUnit]   pnglang [ImplicitUnit]   DBCtrls [ImplicitUnit]   VDBConsts [ImplicitUnit]   DBConsts [ImplicitUnit]   DBPWDlg [ImplicitUnit]   DB [ImplicitUnit]   WideStrings [ImplicitUnit]   DBCommonTypes [ImplicitUnit]   FMTBcd [ImplicitUnit]   SqlTimSt [ImplicitUnit]   DateUtils [ImplicitUnit]   MaskUtils [ImplicitUnit]   DBLogDlg [ImplicitUnit]   Buttons [ImplicitUnit]   Mask [ImplicitUnit]   DBClient [ImplicitUnit]   Provider [ImplicitUnit]   DataBkr [ImplicitUnit]   MidConst [ImplicitUnit]   Midas [ImplicitUnit]   DBCommon [ImplicitUnit]   DSIntf [ImplicitUnit]   uFormManager   uTypes   uSetup   uInetThread   ufrmMsgBox2   ufrmMain   ufrmAlert   ufrmMsgBox1   uSkinButton [ImplicitUnit]   uSkinControl [ImplicitUnit]   uSkinCaptionControl [ImplicitUnit]   uConsts   ufrmBSOD   TlHelp32 [WeakUnit, OrgWeakUnit, ImplicitUnit]   md5   ufrmBrowser   MSHTML [ImplicitUnit]   SHDocVw [ImplicitUnit]   Gauges [ImplicitUnit]   ufrmPopup   uSkinGroupBox [ImplicitUnit]   ufrmUpdateInfo   ufrmUpdate   ufrmInfectedSoftware   ufrmRegistration   PsAPI [WeakUnit, OrgWeakUnit, ImplicitUnit]   ufrmHarmfull   ufrmFirewall   ufrmActivate   XPMan [WeakUnit, OrgWeakUnit, ImplicitUnit]   uFilesThread   uSkinCheckBox [ImplicitUnit]   uCryptIniFile   VCLFixPack   Grids [ImplicitUnit]   DBGrids [ImplicitUnit]

Detections

Dialer    MSVIDEO.DLL    Exploit.HTML.Ascii.f    This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page.  It is 1614 bytes in size. It is not packed in any way. Malware    actxprxy.dll    Virus.Win32.CTX.6886    This is a Win32 parasitic virus. It uses polymorphic and Entry Point Obscuring mehods (see below).  It is not a dangerous nonmemory resident parasitic polymorphic Windows virus. It searches for PE EXE files (Windows Portable Executable files) in current directory (except drive root directory),... Dialer    cacls.exe    Exploit.HTML.Ascii.e    This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page.  It is 1315 bytes in size. It is not packed in any way. Malware    cmsetACL.dll    Virus.DOS.Lenin.943    It is not a dangerous nonmemory resident parasitic virus. It searches for EXE files and writes itself to the end of the file. While infecting it does not alter the EXE entry registers, but inserts CALL FAR instruction into file entry point and alters EXE relocation table. Depending on its... Spyware    cryptdlg.dll    Trojan-PSW.Win32.LdPinch.rn    This Trojan belongs to a family of Trojans written with the aim of stealing user passwords. LdPinch is designed to steal confidential information. The Trojan itself is a Windows PE EXE file approximately 17KB in size, packed using UPX.  When installing, the Trojan copies itself to the Windows system... Worm    diskcopy.dll    Worm.Win32.Bizex    This worm uses the Internet instant messaging system ICQ to spread via the Internet.  The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download and execute the malicious component of the worm on the victim computer.  Propagation On... Trojan    dot3gpclnt.dll    Trojan.Win32.DNSChanger.gn    This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent.  It is an HTML page which contains Visual Basic Script.  It is 1445 bytes in size. Backdoor    fdeploy.dll    Backdoor.Win32.Poison.h    This Trojan provides a remote malicious user with access to the victim machine.  It is a Windows PE EXE file.  The file is 5,040 bytes in size.  Installation  When launched, the Trojan copies its executable file to the Windows system directory:  %System%\com.exe  It also creates the following... Worm    fontsub.dll    Worm.SunOS.Sadmind    Text written by Costin Raiu, Kaspersky Labs, Romania  This is an Internet-worm that replicates between Sun Sparc computers running the Solaris/SunOS operating system, and attacks Microsoft IIS v4 and 5 Web servers. Cracked Micrsoft IIS servers will have their start page replaced with one that... Trojan    iasads.dll    Trojan.BAT.FormatC.z    This Trojan has a malicious payload.  It is a BAT file.   It is 18 bytes in size. Malware    ir41_qcx.dll    Virus.DOS.Segal.552    It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus does not manifest itself in any way. It contains the text:  -SEGAL(c)MM Rogue    kbdhu.dll    Virus.DOS.Zerobug.1536.a    It is a memory resident not dangerous virus which inserts itself into COM-files beginning at their creating: the infector hooks INT 21h, f.3Ch, creates the file, writes its body into this file and returns the control back to the program that called this function. And then that program appends the... Dialer    kbdno1.dll    Exploit.PHP.Inject.f    This exploit is designed to steal confidential information from Web application databases. It is a PHP file.  It is 1,610 bytes in size. It is not packed in any way. It is written in PHP. Malware    mdminst.dll    Virus.DOS.Lct.599    This is a benign non memory-resident parasitic virus. Upon being executed, it searches for all COM files of the current directory, and writes itself to the end of the file. On December 25th, upon being executed, the virus immediately returns to DOS. The virus contains the text string:  *.COM... Backdoor    mnmsrvc.exe    Backdoor.Win32.VanBot.bk    This Trojan can be used for remote administration of the victim machine. It provides a malicious user with the ability to perform operations via IRC. It is a Windows PE EXE file, and is 207,872 bytes in size.  Installation  When installing, the backdoor copies its executable file to the Windows... Malware    mqutil.dll    Virus.DOS.Acapulco.1971    It's a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM- and EXE-files are executed. Sometimes it hooks INT 08h (timer) and plays several tunes. Backdoor    msoert2.dll    Backdoor.Win32.Kbot.al    This Trojan provides a remote malicious user with access to the victim machine.  It is a Windows PE EXE file.  It is 12787 bytes in size. Installation Once launched, the backdoor copies its executable file to the Windows system directory:  %System%\mssrv32.exe The backdoor then creates a service... Adware    mtxclu.dll    Virus.DOS.Fire.2682    It's a harmless memory resident encrypted parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text strings:  Fire walk with me. Backdoor    net1.exe    Backdoor.Win32.BO.a    This Trojan (also known as Back Orifice Trojan) is a network-administration utility that allows for the controlling of computers on the network. "'Back Orifice' is a remote administration system, which allows a user to control a computer across a tcpip connection using a simple console or gui... Worm    oakley.dll    Net-Worm.Perl.Santy.a    This worm uses a vulnerability in phpBB, which is used to create forums and web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are vulnerable.  The worm is written in Perl, and is 4966 bytes in size.  Propagation  The worm creates a specially formulated Google search request.... Rogue    plustab.dll    Virus.DOS.HS.903    This is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files (except AIDSTEST.EXE) that are executed. On December, 27th it erases the hard drive sectors. It also hooks INT 17h (printer) and sometimes prints rude messages in Russian.  The... Worm    qcap.dll    Net-Worm.Win32.Lovesan.a    Lovesan is an Internet Worm which exploits the DCOM RPC vulnerability in Microsoft Windows described in MS Security Bulletin MS03-026.  Lovesan is written in C using the LCC compiler.  The worm is a Windows PE EXE file about 6KB (compressed via UPX - 11KB when decompressed).  Lovesan downloads and... Adware    rdpwsx.dll    Virus.DOS.Fire.2682    It's a harmless memory resident encrypted parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text strings:  Fire walk with me. Adware    sclgntfy.dll    Virus.DOS.Piz.2025    It is a dangerous memory resident parasitic encrypted virus. It hooks INT 1Ch, 21h, and writes itself to the end of COM and EXE files that are accessed. Under debugger the virus erases the CMOS. Sometimes it displays the message:  +---++   + +-+   ++ +--+ +   + |   ||  ++  -++ ++| +--  |   | +... Spyware    setver.exe    Trojan-PSW.Win32.LdPinch.rn    This Trojan belongs to a family of Trojans written with the aim of stealing user passwords. LdPinch is designed to steal confidential information. The Trojan itself is a Windows PE EXE file approximately 17KB in size, packed using UPX.  When installing, the Trojan copies itself to the Windows system... Dialer    taskkill.exe    Exploit.HTML.Ascii.p    This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page.  It is 1872 bytes in size. It is not packed in any way. Backdoor    tftp.exe    Backdoor.Win32.Agobot.a    Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the author/ user with remote access to the victim machine. It is managed via IRC. It has a wide range of functionalities:    will not work with a debugger running or under Vmware it can run both as a standard application and... Adware    usrsvpia.dll    Virus.DOS.Cheeba.1683    This is a memory resident harmless virus which infects COM and EXE files by standard manner. It infects the memory only if the INT 13h vector points to memory area with address lesser than address of the first MCB. The virus changes the first 5 bytes into INT 13h, 21h, 22h handlers to instruction... Worm    vjoy.dll    Net-Worm.Perl.Santy.a    This worm uses a vulnerability in phpBB, which is used to create forums and web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are vulnerable.  The worm is written in Perl, and is 4966 bytes in size.  Propagation  The worm creates a specially formulated Google search request.... Worm    wmpshell.dll    Net-Worm.Win32.CodeRed.a    CodeRed (aka Code Red, Bady) is an Internet worm that replicates between Windows 2000 servers running Microsoft's IIS (Internet Information Services) and the Microsoft Index Server 2.0 or the Windows 2000 Indexing Service. It does this by exploiting a bug known as "Unchecked Buffer in the Index... Adware    wshisn.dll    Virus.DOS.Guevara.1918    It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files that are executed. On 10th, 20th and 30th of any month the virus erases the hard drive sectors, displays an image of Che Guevara and the text:  TE GUSTA ESTAR BLOQUEADO A...

Without self-protection this crapware will simple kill both on start. It scans visible top-level windows each second and if they are not before crapware start - terminates applications.

OK., hopefully we have the good removal guides of fake antiviruses, for example from BleepingComputer.com!

Me - spammer? Why me?