;D ;D ;D
DO NOT run this simulator if:
You think “the registry” refers to bridal gifts.
You do not own the computer you are planning to install it on.
You do not mind reformatting the machine you are installing it on (in case it crashes).
You think “ReadMe” files are pointless and never read them.
;D ;D ;D ;D
BREAK
Too dangerous if the removal (uninstall) fails… this is playing with fire… I do not recommend.
I’m testing it right now… (not in my own computer… in the internet cafe) PLAY SAFE… ;D ;D
Hmm… Avast! scan is running…
found 1 virus atm…
;D
Technical Details
Once the DFK Threat Simulator v2 - iPod-commercial.exe - is executed it displays a “Loading” Flash file, secretly drops five files into the %temp% directory (projector.exe, xmlscript.exe, frmsystem.exe, winllogon.exe, and playmovie.exe) and runs projector.exe.
projector.exe disables the most common HIPS, antitrojan, and antivirus products (using xmlscript.exe, if necessary) and replaces them, if possible, with frmsystem.exe. Next, it runs winllogon.exe and then playmovie.exe.
xmlscript.exe is a disguised version of a freeware keystroke/mouse automation program that has no affiliation with the author or this simulator.
frmsystem.exe creates a password-protected user called “DFKTS”. The password is “0wn3d” and the account is set to expire 1 day after creation.
winllogon.exe attempts to disable or shut down the following security products: (v2) AbuseShield, Ad-Aware, Antispy, BlackLight, CheckIt Firewall, Core Force, DarkSpy, DefencePlus, DefenseWall, EMCO Malware Destroyer, Filseclab Twister, Fireball CyberProtection Suite, Foundstone Vision, GeSWall, GhostWall, Ghost Security Suite (AppDefend & RegDefend), GMER, HiddenFinder, Hook Explorer, IceSword, Injoy Firewall, Lavasoft Personal Firewall, Neoava, NetVeda Safety.Net, Norman Personal Firewall, Online Armor, OSsurance Desktop, pcInternet Patrol, PortsLock Firewall, Prevx1, Process Lasso, Process Master, Prisma Firewall, Rootkit Hook Analyzer, SensiveGuard, SocketShield, SoftClan Integrity 2005, Spinach Antispyware, Spyware BeGone!, SurfSecret Personal Firewall, TaskInfo, TermiNET, The All-Seeing Eye, Trend Micro Antispyware, Trend Micro Personal Firewall, Trustix AntiVirus, Wanadoo PC Firewall, Webroot Desktop Firewall, Webroot Spy Sweeper, Windows Defender, WinShark - (v1 & v2) - 3B Personal Firewall Pro, 8Signs Firewall, Abacre Antivirus, Absolute Startup from F-Group Software, Abtrusion Protector, Acceleration Software AV, Ad-Aware Checker, Agnitum Outpost Free, Agnitum Outpost Pro, AhnLab Antivirus, AlertWall Personal Firewall, Aluria Software Security Center, Anti Trojan Elite, Anti Trojan Shield 2, Antidote SuperLite, AntiHook, Anti-keylogger, AntiSpy firewall, Anti-spyware from Dell, Anti-Trojan, AntiVir AV, AntiViral Toolkit Pro, AntiVirenKit, Anti-Virus & Trojan, AntiVirus ExPert 2000 (AVX), Antiy Ghostbusters, ANTS, AnVir, AOL Spyware Protection, ArcaVir AV, Armor2net Personal Firewall, a-squared Personal, AT AVS, AtGuard, avast!4 Home Edition, avast!4 Professional Edition, AVERT Stinger, AVG, AVG Free, Bazooka Adware and Spyware Scanner, BHODemon, BitDefender AV, BitDefender firewall, BitGuard Firewall, BlackICE, BOClean, BPS Spyware & Adware Remover, BullGuard, Caddais BackupOnDemand, CheckIt Toolbox from WinCheckIt Diagnostic Software, Cheyenne AntiVirus, ClamWin, ComCast Internet software suite, Command AV, ConfigSafe, ConSeal PC Firewall, CounterSpy by Sunbelt Software, CWShredder, CyberScrub AV, Deerfield Personal Firewall, Doctor Solomon AVS, Dr.Web AV, DumpWin, DynaComm i:scan, Earthlink Spy Audit, Enigma FireWall, eSafe AV, eScan, eScan Free, eScorcher AntiVirus version 1.7, Ethereal, eTrust EZ AntiVirus, eTrust Firewall, ewido security suite, eXtendia AntiVirus AVK, Find Hidden Service (aka FHS), Flister, F-Prot Antivirus, Freedom AVS, FRITZ!webProtect, F-Secure Anti-Spyware, F-Secure AV, F-Secure BlackLight Console, G-Data AntiVirenKit, GData Firewall, German Process Viewer, Giant/Microsoft Antispyware, Greatis Software’s RegRun 3 Security Suite, Hacker Eliminator, HackerSmacker, Hauri ViRobot AV, HijackThis, IceSword, Ikarus, InoculateIT Personal Edition, Integrity Master, InVircible, IParmor, Jetico Personal Firewall, Kaspersky, Kaspersky Anti Hacker 1.0, Kerio Firewall, Kernel PS, Kernel SC, KillBox, Klister, KProcCheck, Lavasoft Ad-aware Plus, LockDown Free, Lockdown Pro, Look N’ Stop firewall, MailDefense Standard 3.0, Malicious Software Removal Tool (Microsoft), McAfee AntiSpyware, McAfee AV, McAfee firewall, McAfee Internet Security, Mike Lin’s StartupMonitor, MJ Registry Watcher, MkS_Vir, modGREPER, MoniDir, myNetWatchman, neolog, Net Barrier firewall, Net Protect, NOD32 AV, Norman AV, Norton AntiVirus, Norton firewall, Norton Internet Security (NIS), Norton Uninstall Deluxe, Omniquad AntiSpy, Omniquad Personal Firewall, Ontrack AV, OSsurance, Panda Antivirus, Patchfinder2, PC DoorGuard, PC Security from Tropical Software, PC-Cillin AV, PC-Cillin personal firewall, PER Antivirus, PestPatrol, PreEmpt, Prevx, Primedius Firewall, Private Firewall 3, Process Explorer, Process Guard by DiamondCS, Process Magic by WinEggDrop, Protector 2000 Plus, Protector Plus Antivirus Software, Quarterdeck/Norton CleanSweep, Quick Heal, Qwik-Fix Pro, RAV, RegdatXP, RegDefend, RegFreeze anti-spyware, Registry Firewall, Registry Watch, RegistryProt by DiamondCS, RegSeeker, R-Firewall, RKDetector, RootKit Shark, RootkitRevealer, SafenSec, SafePC, Samurai, SBABR, SecuriTask, Softperfect Personal Firewall, Solo antivirus, Sophos AV, Sphinx, Spy X, Spybot Search & Destroy, SpyFlush, SpyHunter, SpySweeper, Spyware Doctor, Spyware X-terminator Control Center, SpywareGuard, Steganos Online Shield, Steganos Security Suite, SuperAdBlocker, SwatIt, Sygate Personal Firewall, Sygate Personal Firewall Pro, System Safety Monitor, System Spyware Interrogator (SSI), Task Manager, Task Monitor, TaskInfo, Tauscan, TDS, Tenebril SpyCatcher, Tenebril SpyCatcher Express, T-FAK Trojan Remover, TGB::Judy! Firewall, The Cleaner, Tiny Personal Firewall, Trend Micro Anti-Spyware, Trend Micro AV, Trojan Guarder, Trojan Remover, Trojan Scan Engine, TrojanCheck 6, TrojanHunter, TZ Personal Firewall, UnHackMe, VBuster, Vexira Antivirus, VICE, Viguard, ViRobot Expert, VirusBuster, VirusMD Personal Firewall, VirusNet PC, VisNetic AntiVirus & Firewall, Websense anti-spyware, Wild File GoBack, Windows Error Reporting, WinGate, WinPatrol, WinRoute, WinRoute Pro, WinTasks, WinXP Firewall, Worm Detector, WyvernWorks Firewall, X-Cleaner, Xeon Firewall, Xintegrity, XoftSpy antispyware, X-RayPC, ZeroSpyware, ZoneAlarm Free, ZoneAlarm Pro, and more…
playmovie.exe [/glow] (sfx compressed file) contains the DFK Threat Simulator v2’s payload. Aside from the aforementioned files, the payload includes: Vanquish rootkit (vanquish.exe & vanquish.dll), Windows denial of service exploit (Win32e.exe), QuickTime denial of service exploit (Win32e.mov), Nopey trojan (Win32t.exe), Eicar test virus (Win32v.com), WhenU spyware (Win32s.exe), an alternate data stream (Eicar attached to calc.exe), Thermite leaktest (Win32l.exe), SpyEx 1.0 keylogger (Win32k.exe). Third party tools not affiliated with the simulator include: ElSave (elsave.exe).
To reduce coding complexity, the DFK Threat Simulator v2 will not run on Windows 3.1, 95, 98, or Me and requires an account with Administrator or Power User rights. The payload is extracted to a folder called “Vanquish Media Inc” in the %ProgramFiles% directory with hidden/system attributes. Once the payload has been extracted, runtime.exe within the folder is executed.
An infection flag is created in “Software\Microsoft\Windows\CurrentVersion\Explorer” called
“DWORD FLAG GUID 223456789012345678901234567890123456789012345678901
2345678901234567890123456789012345678901234567890123456789012345678901
2345 67890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012”
with a value of 1. This is to prevent multiple instances of the DFK Threat Simulator v2 from running.
Note: This value may be hidden due to a registry weakness.
Balloon Tips are disabled.
The “Software\Microsoft\Security Center” DWORD values “AntiVirusDisableNotify”, “FirewallDisableNotify”, “UpdatesDisableNotify” are set to 1.
The payload described in the playmovie.exe section above is executed.
Event Logs are cleared.
jessa_kristene…
Please break your link. I don’t think VlK and the Alwil staff would want you doing this.
Don’t post links to things that others may not understand the danger of.
Curosity causes a great deal of problems. Very dangerous.
If you wish to try these things…by all means do so.
Don’t tempt others. Thanks.
Hmm… i undrerstand…
Here it is…
-END-
how were you planing on getting it off the pc after it went on and did what it was supposed to do ?
Hmm… it has a remover that can be found at morgud http://w ww.morgud.com/interests/security/dfk-threat-simulator-v2.asp (no space)
download the remover…
THE REMOVER ONLY
how reliable is the remover ?
Hmm… It’s a risk…
but if you want to be secure…
Don’t try to download this…
Guys… you’re playing with fire…
This is becoming a Russian roulette…
Playing russian roulette with beretta isn’t really advisable…