Friday 8 July 2011

Trojan.Kardphisher: Fake Windows Activation (wind.exe)

Thanks to Malekal_morte for the sample :)

A warning message, who says your copy of Windows was activated by another user and ask your billing details to check the authenticity.
Don't be fooled, it's a fake.

If you select the option 'No, I will do it later' nothing happend, you are forced to use the first option.

Once filled, datas are sent to, a domain who have absolutely nothing in common with Microsoft.

 It deactivate also cmd, taskmgr, regedit, the system restore etc..
Once infected the file is located in %APPDATA% with the name "services.exe"
 If you try to terminate this fake Windows Activator you get a BSoD

 Infection can be removed by booting in Safe Mode.

MD5: 8a5cbfc562c3d6f1384ab46b06e0ddbf

Beware of fake banking applications

No comments:

Post a Comment