Thursday 21 April 2011

Fake BitDefender 2011



According to S!Ri:
Fake BitDefender 2011 uses a real Antivirus solution name to mislead users.

This rogue is from the same family as Fake E-Set Antivirus 2011, Fake AVG Anti-Virus, Antivirus 8.
Previous Family skin was: Antivirus GT, Antivirus 7, Antivir 2010. It is not the first time this rogue takes real Antivirus names.
VT: http://www.virustotal.com/file-scan/report.html?id=2e7ffb3abe5dabc443669d4e698f55bf642bb1b22957f4c317c56cf890a0055d-1303403611






The Fake BitDefender 2011 rogue detects and display fake infections to scare users pushing them into buying a license.

To register (and help removal), copy paste this code: BKI14-HJP10-IKO78-OBK894-XYL77

~ ASM
.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start

Resource file:
;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake BitDefender 2011 *KeyGen*"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END


Thanks to lelenina for the sample ;)

Edit 21 Apr 2k11:  Sample was repacked: http://www.virustotal.com/file-scan/report.html?id=0ecfc26c4c442ee04bcb53ea2f841166233dac7d9c2ebda01d781f990a4781d5-1303403931
According to VirusTotal the sample is now detected by two Antivirus.

2 comments:

  1. Nice video Xylibox!

    Can you post the sample of the Fake BitDefender 2011?

    ReplyDelete
  2. Yoh !!!!!!!!!!!!

    i ALMOST had a HEART ATTACK

    I Though the Actual BitDefender.com was A FAKE

    yesas thank god BitDefender.com is a real ANTIVIRUS

    I BOUGHT IT IN 2007 and ENJOYED IT ^___^

    THUMBS UP PEOPLE

    ReplyDelete