Thursday, January 6, 2011

How to Remove "Antivirus Scan" FakeAV Malware

Yesterday I conducted a forensic investigation and cleanup of an infected Windows PC. When I first saw the computer, it was running a fake antivirus program identifying itself as simply "Antivirus Scan," which had attempted to open multiple adult Web sites as well as the Viagra homepage in order to convince the user that its fake scan had really found infections. (The real McAfee VirusScan Enterprise was also running on the system, but it was one day behind in its definitions and seemed completely oblivious to the infection.) Following are screenshots of this malware courtesy of URLVoid Blog, which identifies a connection between this fake AV and the TDSS malware family:


The malware prevented opening the Task Manager or regedit, even after I copied the the exe files to the desktop and renamed them.  It also cleverly prevented opening McAfee's main window. I had to boot the machine from a CD (a previously made UBCD4Win disc) in order to examine and repair the computer.

Not only had McAfee been unhelpful at detecting or preventing the infection, but running a fully updated Spybot—Search & Destroy while booted from the CD didn't find any malicious files either. While that scan was running, I searched the hard drive for files modified within the past two days (the machine had reportedly become infected the previous day) and I noticed Windows prefetch (.PF) files for two suspicious executables, which I subsequently discovered residing here:
C:\Documents and Settings\[username]\Local Settings\Temp\glqvcorac\poylsfolajb.exe
C:\Documents and Settings\[username]\Local Settings\Temp\0.9249067424896712.exe
(Note that the name of the folder and files inside the Temp directory are random, so if you're cleaning this infection you'll have to look for similarly suspicious files inside your Local Settings\Temp folder. In fact, you can usually safely delete the entire contents of that Temp folder. Also note that this is the Windows XP directory structure, so if you're running Windows Vista or Windows 7 the path will be different, possibly C:\Users\[username]\AppData\Local\Temp or C:\Users\[username]\Local Settings\Temp)

It turns out that both of these files were actually copies of the same file with different names. The file is currently detected by 28 out of 43 antivirus engines according to VirusTotal:
MD5   : 3f26b63042639ba83f12af59ec96b669
SHA1  : 08d8df0cdb79519705b7cf57f625fa5b83842129
SHA256: 2114f60f2ee4c600afe9665abea18531fbc0aa913f56dbad68052a73cdd85adb
File size : 321536 bytes
First seen: 2011-01-04 17:26:04

28/43 detection rate as of 2011-01-06 19:46:38 (UTC)

34/43 detection rate as of 2011-01-10 17:33:23 (UTC)

Variously identified as: FakeAlert-SpyPro.gen.bb, Gen:Variant.Kazy.7105, Gen.Variant.Kazy!IK, Generic Malware, Generic4.AZEH, Mal/FakeAV-DO, Mal/FakeAV-IC, Medium Risk Malware, Rogue:Win32/FakeSpypro, Rogue.FakeSpypro (Not a Virus), TR/FakeAV.zrt, Trj/CI.A, TROJ_FAKEAV.SMT1, Trojan.Agent/Gen-Venue, Trojan.FakeAV, Trojan.FakeAV!6BsmWKRLcxY, Trojan.FakeAV!gen39, Trojan.Siggen.64617, Trojan.Win32.FakeAV.zrt, Trojan.Win32.Generic.pak!cobra, Trojan/Win32.FakeAV.gen, UnclassifiedMalware, W32/FakeAV.ACHR, W32/FakeAV.ZRT!tr, Win-Trojan/Fakeav.321536.D, Win32:FakeAV-BCD, Win32:FakeAV-BCI, Win32.GenVariant.Kaz, Win32/Adware.SpywareProtect2009, Win32/AntivirusAction.AM, etc.
Here's another variant that I later discovered on another computer:
MD5   : a931ee4e43fb3e2651811f984bfafc0d
SHA1  : d5cb58529480fe7d4bd04e997e235591ebbe8c5b
SHA256: d1e997bff5cfadb7b27945c1c30574f8d3eea6ba9afd4a65b87187e037679248
File size : 324096 bytes
First seen: 2011-01-07 02:58:58

36/43 detection rate as of 2011-01-11 20:23:54 (UTC)

In addition to the classifications above, this variant is also identified as: Gen:Variant.Kazy.7430, Generic20.BOWF, High Risk Cloaked Malware, Riskware, Suspicious file, TR/Kazy.7430, TROJ_FAKEAV.GKR, Trojan.Agent/Gen-Frauder, Trojan.FakeAV!F3J+Da8Hqx4, Trojan.FakeAV!gen39, Trojan.FakeAV.zug, Trojan.Win32.FakeAV.zug, Trojan/Kryptik.JMP.gen, W32/FakeAV.ACHN, W32/FakeAV.ZUG!tr, Win32:FakeAV-BCI, Win32.GenVariant.Kaz, Win32/FraudAntivirusScan.F, Win32/Kryptik.JMP.Gen, etc.
I continued my investigation to try to discover the origin of the infection. Searching through the main index.dat History file, I identified a suspicious URL for a PDF file, and I searched the hard drive for that file. Sure enough, a scan on VirusTotal showed that the file was a PDF exploit, and Wepawet also identified it as suspicious. (Incidentally, the infected PC was running an old and vulnerable copy of Adobe Reader, version 9.2.0, and had not been configured for better security.) Here's the current VirusTotal analysis of the PDF, which is currently only detected by about a third of major antivirus vendors:
MD5   : 2d1eb76fde5a94b14e1436039ffb0d87
SHA1  : 441a264f5f0fc30072ab4b4f420d80b70366f645
SHA256: 74b926b64dfa4e81ec0b5883a3bdb1f82de0d0e6103b2fa6861d67805ec92ada
File size : 12458 bytes
First seen: 2011-01-06 00:04:44

16/43 detection rate as of 2011-01-06 19:57:17 (UTC)

18/43 detection rate as of 2011-01-10 17:35:49 (UTC)

Variously identified as: Exploit.AdobeReader.gen (v), Exploit.JS.Pdfka.dcq, Exploit.PDF-JS!IK, Exploit.PDF-JS.Gen, Exploit.PDF.1654, Exploit.PDF.gen, Heuristic.BehavesLike.PDF.Suspicious.I, JS:Pdfka-APU, PDF/Exploit.Pidief.PDS.Gen, PDF/Pidief!generic, PDF/Piedf.F2EB!exploit, TROJ_PIDIEF.SMZB, Troj/PDFJs-ML, etc.
Since the file was located in the browser cache (the Temporary Internet Files folder), simply emptying the cache should delete this file if it resides on your system.
After rebooting from the hard drive again, the PC could not access the Internet. I ran HijackThis and found the following registry entries which needed to be deleted:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
O4 - HKCU\..\Run: [qectelup] C:\DOCUME~1\[username]\LOCALS~1\Temp\glqvcorac\poylsfolajb.exe
(For the O4 entry above, note that the path to the file inside the Temp folder will match the one where the file had previously been located on your system; it won't be named exactly as above.)

After cleaning these entries, the system was able to get online again. Note that there may be additional registry settings that should be reverted to their previous settings. This Anubis report and this ThreatExpert report show the following additional modifications to registry values:
HKCU\​Software\​Microsoft\​Internet Explorer\​Download CheckExeSignatures = no
HKCU\​Software\​Microsoft\​Internet Explorer\​Download RunInvalidSignatures = 1
HKCU\​Software\​Microsoft\​Windows\​CurrentVersion\​Policies\​Associations LowRiskFileTypes = .exe
HKCU\​Software\​Microsoft\​Windows\​CurrentVersion\​Policies\​Attachments SaveZoneInformation = 1
According to Trend Micro, it should be safe to delete the registry values highlighted in bold above (assuming you have a good understanding of how to properly edit the registry).

Following are reports for malicious sites and IPs that have recently been hosting content related to this infection and its variants:
Here's a screenshot showing the homepage of some of these fraudulent sites (courtesy of URLVoid Blog):

Antivirus Scan Proven Antivirus Protection fraud site screenshot

The computer probably wouldn't have gotten infected in the first place if it had been running the latest version of Adobe Reader configured for better security, or an alternative PDF reader.

UPDATE, 10 Jan 2011 @ 11:26 PST: Added additional malware names and current detection rates.
UPDATE, 11 Jan 2011 @ 21:38 PST: Added additional malware names and domains related to a new variant.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

8 comments:

  1. Hey, this looks like what I need, but when I tried to empty the cache, I couldn't open Temporary Internet Files. I keep getting a fake virus message as soon as that opens, and then it disappears. Any advice?

    ReplyDelete
  2. LIIT Committee: You need remove the fake antivirus program before you do anything else. As I mentioned, you should first boot from another drive (preferably a CD, since it's not writable) in order to stop the malware from running so you can locate and delete the malicious .exe files. Then after that you can boot from the hard drive again, and that's when you should clear the browser cache, run HijackThis, and check your registry for the specified modifications.

    These are fairly advanced malware removal techniques. If you don't already have a bootable operating system on a CD or DVD, and if you don't already have a copy of HijackThis on your infected PC or on a flash drive or something, then you'll need another computer to download a boot CD ISO and HijackThis, and then burn the ISO to a CD. (You can try an antivirus boot CD such as Kaspersky's or one of these listed on someone else's site.) You may also run into trouble if you have an NTFS-formatted drive and have your user account set to private (if you selected "Yes, Make Private" when asked "Do you want to make your files and folders private?" back when you originally created the user account). If you have difficulty you may need to ask someone you know for assistance, or print my article and bring it into a PC repair shop to have them clean it for you. Good luck.

    ReplyDelete
  3. i have seen 2 cases of this. each time i was able to log in to safe mode,edit, run scans and remove the malware. also it seem to load only in the affected users profile.

    ReplyDelete
  4. Thanks, worked like a charm. I ran into this problem before and had to reformat my drive. My friend had the same problem today and i found your
    info here. I just want to express my appreciation and I will recommend others to your site. Thanks again

    ReplyDelete
  5. Senor Flippy Flop: Thanks for your comment. I usually prefer booting from a CD when cleaning malware in case there are rootkits or other difficult infections on the system, but you make a good point that booting into Safe Mode is sufficient for cleaning some kinds of malware.

    charles: You're welcome. =) I'm glad I could help.

    ReplyDelete
  6. Yesterday I dealt with a third PC that was infected with another variant of this malware, and this time I tried the Safe Mode method. Worked like a charm; no boot CD required.

    ReplyDelete
  7. ADOBE UPDATE 8.3.1.cpsid_83708 IS SHOWN IN ADD/REMOVE PROGRAMS IT IS LISTED IN THE MIDDLE OF THE PAGE INSTEAD OF ON TH LEFT AS ALL OTHERS ARE...IT ALSO SAYS THAT IT CANNOT BE REMOVED..WAS INSTALLED 10/29/11..
    THE ADOBE 8.3.1 IS LISTED ABOVE IT UNDER NORMAL FORMAT FOR REMOVAL/CHANGE i AM GETING THE JSFAKEAVID..TRJ THE PAST FEW DAYS REINFECTING MY SYSTEM..AVAST FINDS IT ISOLATES IT AND i BELIEVE IT WAS SENT TO ME VIA EMAIL TRUSTED FRIEND MAIL WITH A LINK..I DID NOT OPEN IT AS THERE WAS NO SUBJECT AND IT LOOOKED WEIRD..BUT THE SCREEN CAME UP RE THE MALWARE ETC ETC I COULD DO NOTHING TO STOP IT SO TURNED THE MACHINE OFF AT THE TOWER... ANY THOUGHT RE THE ADOBE UPDATE? THANK YOU SO MUCH XPHOME SP3 BDAGGETT

    ReplyDelete
  8. bdag: The way Adobe Reader appears in Add or Remove Programs is probably unrelated to the infection. You should be running the latest version of Adobe Reader anyway for security reasons. When you install the latest version, any old versions will be removed. After upgrading, be sure to configure it as I described in this article.

    If you have a recurring infection that Avast isn't cleaning up, you may have a rootkit or some other form of nasty infection that's difficult to remove. The best way to remove that kind of malware is to boot the computer from a clean operating system and scan with a different utility. Try Microsoft's new Windows Defender Offline Beta. You may need/wish to create the bootable USB flash drive (or CD or DVD) using someone else's clean computer. Follow Microsoft's instructions on how to install and use it. You'll need at least 768 MB of RAM in order to run it on your system, so if you only have 512 MB you'll have to use some other utility (see my reply to LIIT Committee above for links to some antivirus boot CDs). Good luck.

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)