Friday, 8 July 2011
Trojan.Kardphisher: Fake Windows Activation (wind.exe)
Thanks to Malekal_morte for the sample :)
A warning message, who says your copy of Windows was activated by another user and ask your billing details to check the authenticity.
Don't be fooled, it's a fake.
If you select the option 'No, I will do it later' nothing happend, you are forced to use the first option.
Once filled, datas are sent to clubmeup.com, a domain who have absolutely nothing in common with Microsoft.
It deactivate also cmd, taskmgr, regedit, the system restore etc..
Once infected the file is located in %APPDATA% with the name "services.exe"
If you try to terminate this fake Windows Activator you get a BSoD
Infection can be removed by booting in Safe Mode.
Beware of fake banking applications