Fake Antivirus- UNDETECTED

This is from the yesterdays virussign samples.

Its an annoying Fake AV, it locks up Task Manager and every program which wants internet connection.
Under settings you can choose unprotected startup and close the application, then you can use your computer
but any program that wants internet is blocked.

Its sitting in AppData Roaming and in the temp folder.

Screenshots are attached.

Virustotal: https://www.virustotal.com/en/file/152e1167a3423a5e1c06636a6f30d4f8dfb4d59f2a81a4128f6ceaf10f01cfa3/analysis/1385903785/
Anubis: http://anubis.iseclab.org/?action=result&task_id=11c6cf789105d94a49dc19abd9851bf0c&format=html
Threatexpert report: http://www.threatexpert.com/report.aspx?md5=43119f3965eac39caa0bcb89ad3a1296
File is reported to Avast.

Can you send me that smaple? Thanks!

Im uploading it to wikisend now.

Will PM you the download link.

Wikisend will not work so im uploading the file to Google Drive now.

Okay. I have it. I need a new VM. God almighty.

Thanks,

Will test and upload it to malwr.com

I will set up a new VM in Virtualbox if there are no problems.

You can take snapshots of the machine under machine>Take snapshot in Virtualbox.
Then you can reset the VM.

http://www.youtube.com/watch?v=VFkOgMQgvh8

Look familiar? I’ll check out removal. Will post malwr soon. Sorry

When I saw your pics I was look “Damn that lloks like something I saw on Youtube. I need to check”. It’s most likely a variant except newer and meaner.

Mlwr is going list now.

Stupid VM isn’t taking the keyboard. Avast! is picking it up lol

No problem alan.

You have time to do that.

Malwr is up… https://malwr.com/analysis/NzYyOTlmNTM2OGQ2NDM4YWE3YTc3MWUyOTUwNDNkZTM/

Many well known AVs dont detect it at the moment, in cluding GData, F-Secure and Emsisoft.

https://www.virustotal.com/en/file/152e1167a3423a5e1c06636a6f30d4f8dfb4d59f2a81a4128f6ceaf10f01cfa3/analysis/1385927690/

Malwr missed at least 1 Reg key. (That I cna tell) Might be different OS Regedits or something.

HKEY_CURRENT_USER > Software > Microsoft > WindowsNT > currentVersion > WinLogon > Shell was changed from Explorer to the name in the Roaming Folder…

Roaming Folder (Malicious Files/Folders):
Guard-sohj.exe
Results1.db

I’ll attach OTL so Essex or Twin can have a look

Emsisoft would be my choice if i would go away from Avast.

I dont know at the moment.

So explorer was removed and the malware file inserted with the winlogon ? In this case you could have a boot failure if the winlogon is not reset

The Shell was changed. It was changed to an executable in the roaming folder… Making it so the Exe file would be executed and not explorer.

And I think I know what you’re trying to get at. Winlogon was reset (At least the shell was) back to the default explorer…

I’ll attach OTL and MBAM.

By the way you can check boot without protection in the options.

Then the interface loads up on boot, but if you close it explorer will start.

Still undetected by Avast.

Another answer, I was having a look at the Threatexpert report and they saw it… I’ve attached the screenshot. It explains perfectly what I was trying to say.

Sorry if I miss any “s” as I am on a beat-up school computer and not my regular one. orry about that.

Avira is detecting it now as TR/Fraud.Gen8

Here is a video how you could remove this.

http://www.youtube.com/watch?v=1-TAR3cwFuU&feature=c4-overview&list=UU_M-iWYpQbgo4rK1YfewI5w

hello is it possible you MP me the sample please ?

i’d like to study this

thanks

File is now detected as Adware-Gen.