Hi Tech,
It is rogue av scanner galore now:
There is a new kid on the block, called ThreatNuker
Who wants to block the ThreatNuker CLSID-s can do this through the following controls:
(Source: Symantec)
HKEY_CLASSES_ROOT\CLSID{1334158E-0314-405F-84E2-504815415812}
HKEY_CLASSES_ROOT\CLSID{9A1D3451-03D2-AADD-034E-35D42B5B1B27}
Who has SpywareBlaster can also block these CLSID-s. To do so start up SpywareBlaster, then go to Tools, then to Custom Blocking. Click now Add-item, add the name of this malware and enter OK.
Now copy and paste in the following path ( the {} and zeros in between are already given, you can remove these):
{1334158E-0314-405F-84E2-504815415812}
{9A1D3451-03D2-AADD-034E-35D42B5B1B27}
Tag the new items, then click on the button: Protect Against Checked Items. The red colour of the new items will turn into black text. Now you know these controls are disabled making ThreatNuker can no longer be silently installed. Before av vendors come up with new signatures against this malware blocking these CLSID-s is a good option for the time being.
And why oh why?
This is no great surprise, because it is a fake NOD/and a couple of other scanners going around as
malware, so the real ones will not flag them (Kaspersky’s for instance…).
Analysis:
ThreatNuker uses: Nullsoft PiMP Stub [Nullsoft PiMP SFX]
Krypto: A single DWORD (“polynomial”) used to compute CRC32
ASCII Strings: hxxp://pastebin.com/d7534e48a
Striking piece of code:
xe....open....KERNEL32.dll....GetDiskFreeSpaceExA.%u.%u%s%s...\*.*.....[..[Rename]....\wininit.ini....%s=%s...MoveFileExA.%d..C:\Program Files....ProgramFilesDir.Software\Microsoft\Windows\CurrentVersion...CommonFilesDir..\Microsoft\Internet Explorer\Quick
Well, the file is encrypted by all means, try to Hex the installer of this piece of sh^t3…
see removal instructions as added txt.file
pol