Fake anti-virus
Matt wrote in with the following:
"It might be a good idea to make end users aware that the fake-antivirus scan / trojan / ransomware people have raised the bar. I'm planning to put together a small educational email to send to my end users.
I had a difficult malware extraction today. One of our users ended up with Windows Police Pro (WPP) malware installed on her machine. I was really surprised at how tough this program was to clear, and ended up re-loading the machine via Ghost image.
In the past two days, I've heard of two reports of users getting infected, had to handle one myself, and got an email after work from a tech at a remote site. It appears the fake-antivirus scammers have improved their game a lot. The initial 'lure' on the web has been polished quite a bit to get users to accept the program.
The issues that made Windows Police Pro especially hard to remove were:
1. The main program will not close, and will respawn if killed through Task Manager.
2. The program puts up fake Windows Security pop-ups that are very good copies of the original.
3. It contains a fake of the Windows Security control panel that is a very accurate reproduction.
4. It re-assigns actions for .exe files to its own command interpreter, desote.exe. This program does not run any .exe chosen, just pops up an error window claiming the desired file is infected. This action makes it impossible to install MalwareBytes or CCleaner, or even run just about anything else from within the infected session.
I tried to change the .exe assignment in the Registry, but ultimately just deleted the main WPP program files and desote.exe file (Windows Search would still work), which meant the machine came up with the 'I don't know what program to use to open this file' dialog when I clicked on the installer package. I was able to manually find and run cmd.exe from the /Windows/System32 directory, and get CCleaner to install, but it did not fix the broken registry keys to re-stabilize the system. At this point I just gave up pursuit, copied the user's files to USB drive, and reloaded from Ghost.
The only element of this that I thought was groundbreaking was the .exe hijack. Otherwise it's just an impressive polishing job on a tired scam.
Users with only Windows knowledge, or otherwise without an alternate OS to use to cure this, will be at a big disadvantage."
Thanks Matt! Couldn't agree more.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments
RDG1503
Sep 4th 2009
1 decade ago
I ran into this same virus about a week and a half ago using the name Antivirus Pro 2009. Same M.O., awe inspiring fake control panel, desote.exe.
The variant I was dealing was completely missed by everything at virustotal, but I was able to remove most of the startup scripts/services/etc using a xp PE boot cd.
Unfortunately, I couldn't prevent desote.exe from reactivating on boot.
I removed the rest of it using malwarebytes, but I had to resort to renaming all of the MBytes *.exe files to *.com.
It worked, and I was able to kill the rest of the virus by hand.
I played with it for a week and every time I rebooted the vm, the files had a different name, checksum, and were in different locations.
Also, the AV software would update and start catching this thing, but by the following day it had changed enough that the files were being missed again. (I was scanning the vm;s drive from a different vm, and rolling it back after each scan)
Not sure how we can fully protect users from this, but if anyone has any ideas, I'd love to hear them.
Eldorel
Sep 4th 2009
1 decade ago
bicer
Sep 4th 2009
1 decade ago
The regkey responsible is:
HKEY_CLASSES_ROOT\exefile\shell\open\command
The (default) key should be set to:
"%1" %*
If you are unable to change the key, try doing an offline registry edit from a PE or other environment. Open the SOFTWARE hive and look under Classes\exefile\shell\open\command. Othewise, check the permissions of the key. I've seen more and more malware change permissions on reg keys to lock out dll's, or disable the windows update service.
As usual, a reinstall is always recommended, but sometimes that isn't an option.
Perhaps we should use their tactics against them and deny all write privileges to some things like the exefile class... I think I will try that out this week.
CC_DKP
Sep 4th 2009
1 decade ago
DBoggs
Sep 4th 2009
1 decade ago
JimInKS
Sep 4th 2009
1 decade ago
-Al
Al Thiel of YourDataCenter.com
Sep 4th 2009
1 decade ago
JimC
Sep 4th 2009
1 decade ago
Why not have M$ use the magic number of a file to determine it's association? It would make much of the use of extension association issues completely mute. Of course the assocative app can still be hijacked... hhhmmm...
Has anyone been able to determine if this variant is sensitive to user rights? (Power User, User, etc). These are good lines of defense and often keep users in check as well which is always a good thing.
GuenTech
Sep 4th 2009
1 decade ago
GuenTech
Sep 4th 2009
1 decade ago