Sunday 6 February 2011

Windows Problems Protector

According to S!Ri
Windows Problems Protector is a fake security application from the same family as: Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.
This rogue displays fake warning messages pushing users to buy a license.

The rogue is dropped into %APPDATA%

Windows Problems Protector prevent softwares execution like browsers and other legit tools such as Process Explorer.
For run a blocked file, rename it to: mshta.exe, then try again.
To register (and help removal) you can use our patch... or make your own:

.486 ;Only 2,50 Kb :þ
.model flat,stdcall
option casemap:none


uselib  MACRO   libname
    includelib  libname.lib

uselib  user32
uselib  kernel32


Titre       db "Windows Problems Protector patch", 0
PasTrouver  db "There is no thread called",13,10,"help",0
Trouver     db "Full of win",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName  db "help",0

;====== Patching
AddressToPatch1 dd 0411288h ;0x0411288
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00411025 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 04112D4h ;0x04112D4
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 004115DD
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 04112DDh ;0x04112DD
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 004115DD
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 04112EAh ;0x04112EA
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0411333h ;0x0411333
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 0041133A
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0411338h ;0x0411338
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00411381 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed

PID         dd ?

rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
            invoke FindWindow, NULL, offset szFileName
            .If eax != NULL
                mov ebx, eax
                Invoke GetWindowThreadProcessId, ebx, offset PID
                Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
                mov ebx, eax
                            Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL

                            Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL

                            Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL 

                            Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL

                            Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL

                            Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL

                            Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL 
                        Invoke CloseHandle, ebx
                        invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
                invoke Beep,100,30 ;lol
                invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
                invoke ExitProcess,0
rogue endp
  end start

Once registered, applications are not blocked anymore.

No comments:

Post a Comment