Friday, 8 July 2011

Trojan.Kardphisher: Fake Windows Activation (wind.exe)



Thanks to Malekal_morte for the sample :)

A warning message, who says your copy of Windows was activated by another user and ask your billing details to check the authenticity.
Don't be fooled, it's a fake.


If you select the option 'No, I will do it later' nothing happend, you are forced to use the first option.


Once filled, datas are sent to clubmeup.com, a domain who have absolutely nothing in common with Microsoft.


 It deactivate also cmd, taskmgr, regedit, the system restore etc..
Once infected the file is located in %APPDATA% with the name "services.exe"
 If you try to terminate this fake Windows Activator you get a BSoD


 Infection can be removed by booting in Safe Mode.


MD5: 8a5cbfc562c3d6f1384ab46b06e0ddbf

Related:
Beware of fake banking applications

No comments:

Post a comment