Saturday 19 March 2011

CleanThis - Fake MSE Alert



CleanThis is a fake security application (and a ThinkPoint, Palladium Pro clone)
The rogue detects fake infections, prevents legit softwares execution, displaying alert messages to scare users.



According to VirusTotal this sample is detected by just three AntiVirus: https://www.virustotal.com/file-scan/report.html?id=27eb412b15445b87ee8b35e419ce6147b69b4d623d6ce66a7993a331b8a0c708-1300493133

This rogue is located in %appdata% with the name "gog.exe" if not, check for a icon who have the windows genuine logo.

Windows Registry Editor Version 5.00
;Xylibox 19/03/2010 - CleanThis
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

Open a txt, copy past the script and save the file with .reg extension.
Run it and reboot.


Note for reverse engineers: How work the Anti-Virtual Machine

Get value of the key: HKLM\SYSTEM\ControlSet001\services\Disk\Enum\0
Value with VMware: SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&5fcaafc&0&000

Enter in a subroutine then in a loop for checks these words: "QEMU" "VMWARE" "VBOX" "VIRTUAL" with the grabbed value

If eax dont return "0" then a virtual machine is detected: you take the jump and BL=1

You will finish here if the jump is not taken

The 3 lasts call: 0050506A  |. CALL 0050CADC
Create a registry entry for delete automatically the malware with cmd

00505072  |. CALL 0050C1D8
Launch a system shutdown

00505048  |. CALL 00405E18
Close the process

What happen now if you take the jump ?


No comments:

Post a Comment