F-Secure
Tools
Rogue:W32/VirusRemover2008.C
| Name : | Rogue:W32/VirusRemover2008.C |
| Aliases : |
ADSPY/AdSpy.Gen (Other) Program:Win32/Winfixer (Microsoft) Troj/FakeVir-BJ (Sophos) |
| Size: | 894416 |
| Category: | Malware |
| Type: | Rogue |
| Platform: | W32 |
| Date of Discovery: | November 27, 2008 |
Summary
"Rogue" software is an antivirus or antispyware program that tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.
Details
File System Changes
Create these directories:
• C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008
• C:\Documents and Settings\%current user%\Application Data\VirusRemover2008
• C:\Documents and Settings\%current user%\Application Data\VirusRemover2008\Logs
• C:\Program Files\VirusRemover2008
Process Changes
Creates these mutexes:
• AntiMalwareMaster8E0C904E-85D5-4fd8-9473-D173D4D31A9F
Network Connections
Attempts to download files from:
• http://flog.bestvirusremover2008.com/?action=38&pc_id=[...]abbr=3P_UVRM_5712_21.0
Registry Modifications
Sets these values:
• HKEY_CURRENT_USER\Software\VirusRemover2008
scns_time hex:b1,89,2d,49,00,00,00,00,
scns_time hex:b1,89,2d,49,00,00,00,00,
• HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008
LicenseAccepted hex:01,
Upd_size hex:00,00,00,00,
InstallDate hex:d8,07,0b,00,03,00,1a,00,13,00,26,00,38,00,71,02,
ActivationCode
hex:31,37,39,31,42,37,42,32,2d,30,43,44,39,2d,34,36,33,41,2d,41,44,44,46,2d,43,33,41,37,30,38,30,44,37,35,37,30,
UpdateEnabled hex:01,
InfectionCount hex:11,00,00,00,
LastScanTime hex:d8,07,0b,00,03,00,1a,00,13,00,26,00,39,00,19,01,
TotalScanCount hex:01,00,00,00,
LastDetectTime hex:d8,07,0b,00,03,00,1a,00,13,00,28,00,0a,00,0a,01,
LicenseAccepted hex:01,
Upd_size hex:00,00,00,00,
InstallDate hex:d8,07,0b,00,03,00,1a,00,13,00,26,00,38,00,71,02,
ActivationCode
hex:31,37,39,31,42,37,42,32,2d,30,43,44,39,2d,34,36,33,41,2d,41,44,44,46,2d,43,33,41,37,30,38,30,44,37,35,37,30,
UpdateEnabled hex:01,
InfectionCount hex:11,00,00,00,
LastScanTime hex:d8,07,0b,00,03,00,1a,00,13,00,26,00,39,00,19,01,
TotalScanCount hex:01,00,00,00,
LastDetectTime hex:d8,07,0b,00,03,00,1a,00,13,00,28,00,0a,00,0a,01,
• HKEY_LOCAL_MACHINE\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}
Version hex:33,50,5f,56,52,4d,
Version hex:33,50,5f,56,52,4d,
Creates these keys:
• HKLM\Software\VirusRemover2008
• HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
Additional Details
This program is the "demo" version of a rogue antispyware application. It attempts to convince the user to "upgrade" and purchase the full version of the software by making the user believe that their computer system is riddled with malware; the malware would, of course, only be removed if the user purchases the full version of the program.
See also the rogue antispyware description.
Execution
Upon execution, this rogue antispyware displays this End User License Agreement (EULA):
Supposedly, the user must accept it before the software will install onto the system. If the user does not accept the EULA, it will not pretend to scan the system and display fake output. It will, however, still create the following registry keys:
Create these files:
It queries this website:
If the user does agree to the EULA, the program does all the above, and in addition will pretend to scan the system:
After the scan, it will display these files, which are supposedly on the computer system. In reality, these files are taken from a predefined list located in C:\Program Files\VirusRemover2008\Viruses.bdt.
If the user closes this window, the rogue will display this notification box to remind the user that the system is still infected:
See also the rogue antispyware description.
Execution
Upon execution, this rogue antispyware displays this End User License Agreement (EULA):
Supposedly, the user must accept it before the software will install onto the system. If the user does not accept the EULA, it will not pretend to scan the system and display fake output. It will, however, still create the following registry keys:
• HKLM\Software\VirusRemover2008
• HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
Create these files:
• C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008\VirusRemover2008.lnk
Link to C:\Program Files\VirusRemover2008\VRM2008.exe
Link to C:\Program Files\VirusRemover2008\VRM2008.exe
• C:\Documents and Settings\%current user%\Application Data\VirusRemover2008\Logs\scns.log
Contains a log of requests sent to bestvirusremover2008.com
Contains a log of requests sent to bestvirusremover2008.com
• C:\Documents and Settings\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk
Link to C:\Program Files\VirusRemover2008\VRM2008.exe
Link to C:\Program Files\VirusRemover2008\VRM2008.exe
• C:\Documents and Settings\%current user%\Desktop\VirusRemover2008.lnk
Link to C:\Program Files\VirusRemover2008\VRM2008.exe
Link to C:\Program Files\VirusRemover2008\VRM2008.exe
• C:\Program Files\VirusRemover2008\Viruses.bdt
A text file containing the list of the fake malware found in the system.
A text file containing the list of the fake malware found in the system.
• C:\Program Files\VirusRemover2008\VRM2008.exe
Main rogue scanner file detected as Rogue:W32/VirusRemover2008.C
Main rogue scanner file detected as Rogue:W32/VirusRemover2008.C
It queries this website:
• http://flog.bestvirusremover2008.com/?action=38&pc_id=[...]abbr=3P_UVRM_5712_21.0
If the user does agree to the EULA, the program does all the above, and in addition will pretend to scan the system:
After the scan, it will display these files, which are supposedly on the computer system. In reality, these files are taken from a predefined list located in C:\Program Files\VirusRemover2008\Viruses.bdt.
If the user closes this window, the rogue will display this notification box to remind the user that the system is still infected: