Monday 31 January 2011

Fake AVG Antivirus



According to S!Ri
Fake AVG Anti-Virus uses a real Antivirus solution name to mislead users.

This rogue is from the same family as Antivirus 8.
Previous Family skin was: Antivirus GT, Antivirus 7, Antivir 2010. It is not the first time this rogue takes real Antivirus names.


The Fake AVG Anti-Virus detects and display fake infections to scare users pushing them into buying a license.

Note: Like you see here, the fake AVG check for a 'empty serial' but you will never see a message for say "Activation failed! Activation code is empty!" simply because in another place, there is a code who check the lenght of the textbox and if the lenght = "0" you cant push the registration button, bug.


For register the application you can use our keygen
Or do it yourself:

~ ASM
.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start

Resource file:
;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake AVG Keygen"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END

It close applications like keygen, but you can unblock it and open it again.



Then, use MBAM for remove the infection, and if you have some trouble for navigate with your browser, just rename it like "firefox.exe" call it "firefox2.exe"

No comments:

Post a Comment