Defense Center - Rogue AV

June 25, 2010

SonicWALL UTM Research team found instances of a new Rogue AV downloader being spammed in the wild with the theme "Statement of Fees". The e-mail contains the downloader file inside the zip attachment.

Below is a sample e-mail:

Email Campaign - Statement of Fees

Subject: Statement of fees 2010

Attachment: Statement_of_Fees_2010.DOC.zip (contains Statement_of_Fees_2010.DOC.exe)

Email Body:
------------------------
Please find attached a statement of fees as
requested, this will be posted today.
The accomodation is dealt with by another
section and I have passed your request on to them
today

Kind regards.
{email sender}
------------------------

The e-mail message looks like below:

    screenshot

Malicious executable file inside the zip attachment disguise itself as a document file via Microsoft Word icon:

screenshot

Once the user runs the executable file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED)fic.com/ms04/ad
  • http://(REMOVED)can.com/ms04/ad
  • http://(REMOVED)kol.com/ms04/ad

Prior to downloading the Rogue AV, it will first do the following system activities:

  • To ensure that only one intance of this downloader runs in the memory, it creates a mutex: AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
  • Adds the following in the registry:
    Key: [HKEY_CURRENT_USERPrintersConnections]
    Data: "subid"="landing"
    Data: "affid"="396"
  • Creates the file _favdata.dat at Documents and SettingsAll UsersFavorites folder with the following content:
    386
    landing
  • Verifies that the location of the user is not in the following list before continuing its installation:
    - Azerbaijan
    - Belarus
    - Czech Republic
    - Kazakhstan
    - Kyrgyzstan
    - Poland
    - Russia
    - Ukraine
    - Uzbekistan

Rogue AV Installation

    screenshot

    screenshot

    screenshot

    Files Added:

    • (Temp)wscsvc32.exe - GAV: Conficker.gen (Worm)
    • (Temp)autmgr32.exe - GAV: Tibs.JF (Trojan)
    • (Program Files)Defense Center
    • (Program Files)Defense Centerdefcnt.exe - GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefext.dll - GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefhook.dll - GAV: Conficker.gen (Worm)
    • Documents and Settings{User}Start MenuProgramsDefense Center
    • Documents and Settings{User}Start MenuProgramsDefense CenterAbout.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterActivate.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterBuy.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center Support.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterScan.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterSettings.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterUpdate.lnk

    Registries Added:

      Auto Startup Entry
    • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
      Value: Defense Center
      Data: ""C:Program FilesDefense Centerdefcnt.exe" -noscan"
      Disables Task Manager
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
    • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
      Shell Spawning
    • Key: HKEY_CLASSES_ROOT.exeshellopencommand
      Value: @
      Data: autmgr32.exe /START "%1" %*"
    • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
      Value: @
      Data: autmgr32.exe /START "%1" %*"

    Registries Modified:

    • Key: HKEY_CLASSES_ROOT.exe
      Value: @
      Original Data: "exefile"
      New Data: "secfile"

    After installation, the Rogue AV will pretend to perform full system scan for any malware infection. At the end of scanning it displays fake results indicating malware infection on the system:

      screenshot

    Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.

      screenshot

      screenshot

    SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

    • GAV: TDSS.BHKV (Trojan) - (6,204 hits)
    • GAV: Tibs.JF (Trojan)
    • Tdss.BEEA_2 (Trojan))
    • GAV: Conficker.gen (Worm)

    screenshot