Friday 29 July 2011

Trojan.FakeAV.LVT



A malware i got from markusg, at first i've not investigated that but after a 'fast analyze' of EP_X0FF... i've see this one was finaly very interesting and also really heavy.
File is multi-packed with custom crap and upx (as usual.for most of malwares).
I got some problem for make a 'clean' unpack version, access violations and some other problems, bored to search why my dump isn't working properly (the custom engine of the debugger i use is buggy, so for this one i've used 'DeFixed v2')


It start by doing a sort of listing, (file names, downloads, system paths):

Network test (youtube.com etc)

Russian language detection (he get the value from the registry):

Because later, he will pop you a fake alert:

And the russian version:

Do a lame file copy using a .bat:
Note: Most of files are dropped into %Systemroot% and later inside hidden subfolders like 'update.2, update.3 etc..'

Some files downloaded/dropped in %Systemroot% (the text file 'ip list' contain ip's of other infected machines, it create a peer to peer bot for exchange malicious code)

Here, it check what antivirus are you using:

Program files / Common files search:

Another EXE file copy (this time not with a bat file but using API's)

Autorun entry:

Drop '2916197.exe' in %Temp% (later renamed sysdriver32.exe, it's another malware loader)

 Antivirus detections, and a huge list for Kaspersky:


KAV, ESET, Outpost, Comodo, Agava, Avast, McAfee, Avira, Norton, DrWeb, MSE, MSD, AVG, Panda and much more... (all important AV solutions)


System error access denied, maybe related to the name 'flash-player.exe' to fool users.

Malware will modify the registry key for go into safe mode on the next reboot, and will queue your antivirus for unistallation.
When all done, the malware launch a shutdown procedure.
On safe mode you will only see this black screen, and when your antivirus was successfully unistalled, the malware will modify again the registry key this time for boot on normal mode, and just after launch another shutdown procedure.
The passage in safe mode is really fast. (For unistall my Avast Antivirus less than 30 seconds for do it and launch the reboot procedure)


After user is fooled, with a fake icon in the system tray of your Antivirus, for example i've do the test with Avast Antivirus (not by preference, i've just installed the first product who pops into my head).



Header lists (for future fake alerts)

Icon list (used for fake alerts):

Fake Avast update:

And when we click on the Avast icon we see this:

Avast shortcut lead now to the fakeav:

Malicious process:

Malware can also unrar archives and execute files, example here with a total legit bitcoin miner:


A downloaded malware has also modified the host file:

Look's good right?:

But check the numbers of lines:

And good luck for find where is right place

And also, remember my 54Mb Avast setup ?


File is now 1,66Kb with a PE header totaly fucked.

Most of us know FakeAV as agressive malware who push users to absolutely buy a license.
This one is composed of 3 images and fool users with 'everything is cool, system is safe'
But in background you got alots of active malwares trojan/downloader, i'll got even a rootkit (ZeroAccess) downloaded.

16 comments:

  1. ohh so that's what removed my kaspersky from my virtual machine xD
    I got this fake av a few weeks ago and i had no idea that it removes real anti-viruses
    i lost my sample tho :(

    ReplyDelete
  2. Do you have a link to these files? Even a VirusTotal scan will helps

    Thanks in advance,

    ReplyDelete
  3. Wow, great review! You're the best, as always!

    ReplyDelete
  4. md5: 38acffb9479dbfe7869fa46b9f8c40a8

    http://www.virustotal.com/file-scan/report.html?id=97387ec1362aba6fb3aaae1f258168cb5e55e75f900cfa8df10f9190d057526e-1311779296

    ReplyDelete
  5. This malware is using email as the vector and in my run downloaded close to 16 binaries belonging to different families, one of which was the Zeroaccess rootkit. This is the md5sum of the sample that I got.

    http://www.virustotal.com/file-scan/report.html?id=376bbe715542e816e16c94c55d3af8a1f50aea55ca85afc2b417a6bb4cd9241a-1311971858

    The link in the email looks like this
    http:///search=loader2.exe

    ReplyDelete
  6. Thanks Xylitol

    Do you still have the dropper?

    ReplyDelete
  7. I got a sample of this. could someone confirm if it is spreading through facebook? one with "It is you on the video"?
    If it is not this one, could someone share the sample with me?

    ReplyDelete
  8. So how can this virus be removed?
    I tried a lot of ways and could not remove it.
    Is only format my PC?

    ReplyDelete
  9. Steven K no one answered anonymous's question, how can this virus be removed? That is if it can be. I have the thing I think and I'm not even sure if you gave me the answer it would let me see it.

    ReplyDelete
  10. You know the path of malware right ? (cf my article)
    so simply boot into safe mode and delete all exe related to the malware, don't forget also to remove the registry key.

    ReplyDelete
  11. Hi Steve,
    Can you please share the malware sample if possible?

    Thanks in advance...

    ReplyDelete
  12. Hi jack,
    I don't have it anymore, sorry.
    check for the md5

    ReplyDelete
  13. A short md5 search was very useful .. Thanks S.

    ReplyDelete
  14. There is a stand alone file that is in memeory xxxxxxxx:xxx... that plays an important part in making it unbeatable. Exe and registery edits don't help because it's best feature is to cloak how it uses IP/TCP. Never seen anything like this in 15 years.

    ReplyDelete