Wednesday, December 15, 2010

RapidShare used to spread rogueware

Besides the usual spam this morning, in the likes of "very good news . now you can buy new iphone 4 from this site! ",

I had also received an email from someone I know. It was sent to all of his contacts, including me. The message only contained the following URL:


Link to Rapidshare to download a file called "surprise.exe" I have obfuscated the URL for your safety.

It comes to no surprise that actually this file is rogueware with the name Security Shield. Below you can find an example screenshot of this rogue:


Security Shield rogueware


surprise.exe
Result: 11/42 (26.2%)
MD5: a6af97e7a5fd59c82b4c08a568eae882
VirusTotal
Anubis Report
ThreatExpert Report

When executing the downloaded file ( surprise.exe ):



Conclusion


Besides coming from a trusted person, this rogueware program is also using Rapidshare as a 'mirror' for spreading. Also, the file has the name "surprise.exe" which may convince you even further that your friend has just sent you a message with a nice surprise e-card or similar. After all, you know the person who sent it, why would it hurt ?

The above pictures proove why. I doubt you'd want some rogueware sitting on your computer. The trick is you should never trust an email which has:

- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Peace out.

Saturday, December 4, 2010

new rogue: PCoptimizer 2010

As already stated in my previous post, there are two new rogues (rogue security software, rogueware) lurking around:

PrivacyGuard 2010 and PCoptimizer 2010

You can be presented with either of these GUIs:


PrivacyGuard 2010 (picture: BleepingComputer)



PCoptimizer 2010


If you execute any program, you can be presented with the following pop-up:


PCoptimizer 2010 pop-up


I also made a small video on how you can disable this rogue and access your programs again. In this video I targeted PCoptimizer 2010, but you can also apply these steps on PrivacyGuard 2010.



Direct link to HD video on YouTube


6 easy steps:

1) Go to Start > Run
2) Type in: C:\windows\system32
3) Find taskmgr.exe and make a copy
4) Paste taskmgr.exe on your desktop (for example) and rename to explorer.exe
5) Locate the process for the rogue (in this case, PCoptimizer 2010.exe) and click on End Process
6) You can now execute your Antivirus or Antimalware tools again, or browse the internet and download one :) .

Thursday, December 2, 2010

new rogue domain: privacyguard2010.com


Registrant Contact:
Name: Bayangol Duureg, Undsen Khuuliyn Gudamj 24
Address: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Ulaanbaatar
Country: Mongolia

hxxp://privacyguard2010.com
Result: 3/17 (18 %)
Domain Hash: fec975d80b19c2ec3ce80fac1cd7800b
Note: this page does not trigger a "scan" of your computer, however, you can download a malicious file. Visit at own risk !

Some related domains:
hxxp://pcprotectioncenter.com/
hxxp://privacycorrector.com/
hxxp://pcoptimizer2010.com/
hxxp://psccenter.com/
hxxp://controlcenter2011.com/


The following file was downloaded:
setup.msi
Result: 1/43 (2.3%)
MD5: 92577052e1f4f51cb74d37727d032168

This file drops:
PCoptimizer2010.exe
Result: 2/43 (4.7%)
MD5: 6ad932b045a4ac666659d496a81af52d
VirusTotal
Anubis Report
ThreatExpert Report

Screenshot examples:

PrivacyGuard 2010 home page


When executing the file (PCoptimizer2010.exe)
PrivacyGuard 2010 installation wizard