Fake Desktop Utilities on the rise
SonicWALL UTM Research team has observed a rise in fake desktop utility malware in the wild. A new fake windows recovery malware is making the rounds through drive-by downloads. We have observed other variants before but this variant employs some new tactics such as disabling the task manager, hiding user programs and files by modifying file attributes, hiding start menu items and disabling multiple operating system features.
As seen in the past with other fake utilities, it attempts to scare the user with fake errors and tries to convince the user to buy the product in order to fix those errors. It uses a fake icon and file name to masquerade as a legitimate file as seen below:
It performs the following activities:
- It creates a copy of itself in the following location
- It reports new infection to a remote server
- GET /404.php?type=stats&affid=508&subid=new02&awok HTTP/1.1
- It creates the following registry entry to ensure infection on reboot
- It executes the following commands in the background to modify the file attributes to be hidden
- attrib +h "C:DocumentsandSettingsAllUsersStartMenu*.*"
- attrib +h "C:DocumentsandSettingsAdministrator*.*"
- attrib +h "C:*.*"
- It moves contents of start menu from "All UsersStart MenuPrograms" to "%Temp%smtmp1"
- It modifies the following registry values to disable various features
- Disables the task manager
- Disables viewing of protected operating system files
- Disables viewing of hidden files
- Hides desktop icons
- Disables warning for downloaded software from untrusted publishers
- Disables preservation of zone information in downloaded and attached files
Here are some screenshots of the fake utility in action:
It generates fake warnings:
It simulates a scan and displays fake error messages:
If the user proceeds to buy the advanced module it displays the following screen asking for credit card and personal information:
SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
- GAV: FakeSysdef (Trojan)
- GAV: FakeSysdef.A (Trojan)
- GAV: Fakesysdef.BDA (Trojan)
- GAV: Fakesysdef.BDB (Trojan)
- GAV: Fakesysdef.BDC (Trojan)
- GAV: Fakesysdef.BDD_2 (Trojan)
- GAV: Fakesysdef.BDE (Trojan)
- GAV: Dapato.AR (Trojan)
- GAV: Dapato.D (Trojan)