Saturday, 5 March 2011


According to S!Ri (merci pour la sample):
WindowsTool is a fake Defragmenter tool (rogue) from the same family as: WinScan, Disk Recovery, WinDisk, Windows Disk, Windows Scan, Memory Optimizer, Disk Optimizer, Good Memory, Fast Disk, Disk OK, My Disk, Memory Fixer, HDD Fix, HDD Low, Scanner, Disk Repair, Defragmenter, HDD Tools, Smart HDD, HDD Rescue, HDD Plus, HDDDiagnostic, Hard Drive Diagnostic, HDD Scan, Win Defragmenter, Win Defrag, Win HDD, Check Disk, Ultra Defragger, Quick Defragmenter, HDD Defragmenter, System Defragmenter

Fake error messages:

Bitmap dropped in \%temp%\ and added as wallpaper:

This fake defragmenter tool drop also a rootkit, a PRAGMA TDL modification (a little evolved with anti MBAM feature on board)

Seems to be it blocks loading of MBAM driver by creating watchdog thread that constantly deletes (by directly sending IRP_MJ_SET_INFORMATION/FileDispositionInformation) following file:

kinda stupid solution, they also have loadimage notify callback.

BSoD error due to the virtual machine:

The rootkit is added by a file named "InternetExplorerUpdate.exe" dropped in \%temp%\ by "setup.exe"
The dll who have a random name is downloaded from internet by "setup.exe"

To register (and help removal), enter any email with the following code: 8475082234984902023718742058948

No comments:

Post a Comment