Saturday 19 March 2011

CleanThis - Fake MSE Alert

CleanThis is a fake security application (and a ThinkPoint, Palladium Pro clone)
The rogue detects fake infections, prevents legit softwares execution, displaying alert messages to scare users.

According to VirusTotal this sample is detected by just three AntiVirus:

This rogue is located in %appdata% with the name "gog.exe" if not, check for a icon who have the windows genuine logo.

Windows Registry Editor Version 5.00
;Xylibox 19/03/2010 - CleanThis
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Open a txt, copy past the script and save the file with .reg extension.
Run it and reboot.

Note for reverse engineers: How work the Anti-Virtual Machine

Get value of the key: HKLM\SYSTEM\ControlSet001\services\Disk\Enum\0
Value with VMware: SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&5fcaafc&0&000

Enter in a subroutine then in a loop for checks these words: "QEMU" "VMWARE" "VBOX" "VIRTUAL" with the grabbed value

If eax dont return "0" then a virtual machine is detected: you take the jump and BL=1

You will finish here if the jump is not taken

The 3 lasts call: 0050506A  |. CALL 0050CADC
Create a registry entry for delete automatically the malware with cmd

00505072  |. CALL 0050C1D8
Launch a system shutdown

00505048  |. CALL 00405E18
Close the process

What happen now if you take the jump ?

No comments:

Post a Comment