Thursday, January 6, 2011

How to Remove "Antivirus Scan" FakeAV Malware

Yesterday I conducted a forensic investigation and cleanup of an infected Windows PC. When I first saw the computer, it was running a fake antivirus program identifying itself as simply "Antivirus Scan," which had attempted to open multiple adult Web sites as well as the Viagra homepage in order to convince the user that its fake scan had really found infections. (The real McAfee VirusScan Enterprise was also running on the system, but it was one day behind in its definitions and seemed completely oblivious to the infection.) Following are screenshots of this malware courtesy of URLVoid Blog, which identifies a connection between this fake AV and the TDSS malware family:

The malware prevented opening the Task Manager or regedit, even after I copied the the exe files to the desktop and renamed them.  It also cleverly prevented opening McAfee's main window. I had to boot the machine from a CD (a previously made UBCD4Win disc) in order to examine and repair the computer.

Not only had McAfee been unhelpful at detecting or preventing the infection, but running a fully updated Spybot—Search & Destroy while booted from the CD didn't find any malicious files either. While that scan was running, I searched the hard drive for files modified within the past two days (the machine had reportedly become infected the previous day) and I noticed Windows prefetch (.PF) files for two suspicious executables, which I subsequently discovered residing here:
C:\Documents and Settings\[username]\Local Settings\Temp\glqvcorac\poylsfolajb.exe
C:\Documents and Settings\[username]\Local Settings\Temp\0.9249067424896712.exe
(Note that the name of the folder and files inside the Temp directory are random, so if you're cleaning this infection you'll have to look for similarly suspicious files inside your Local Settings\Temp folder. In fact, you can usually safely delete the entire contents of that Temp folder. Also note that this is the Windows XP directory structure, so if you're running Windows Vista or Windows 7 the path will be different, possibly C:\Users\[username]\AppData\Local\Temp or C:\Users\[username]\Local Settings\Temp)

It turns out that both of these files were actually copies of the same file with different names. The file is currently detected by 28 out of 43 antivirus engines according to VirusTotal:
MD5   : 3f26b63042639ba83f12af59ec96b669
SHA1  : 08d8df0cdb79519705b7cf57f625fa5b83842129
SHA256: 2114f60f2ee4c600afe9665abea18531fbc0aa913f56dbad68052a73cdd85adb
File size : 321536 bytes
First seen: 2011-01-04 17:26:04

28/43 detection rate as of 2011-01-06 19:46:38 (UTC)

34/43 detection rate as of 2011-01-10 17:33:23 (UTC)

Variously identified as:, Gen:Variant.Kazy.7105, Gen.Variant.Kazy!IK, Generic Malware, Generic4.AZEH, Mal/FakeAV-DO, Mal/FakeAV-IC, Medium Risk Malware, Rogue:Win32/FakeSpypro, Rogue.FakeSpypro (Not a Virus), TR/FakeAV.zrt, Trj/CI.A, TROJ_FAKEAV.SMT1, Trojan.Agent/Gen-Venue, Trojan.FakeAV, Trojan.FakeAV!6BsmWKRLcxY, Trojan.FakeAV!gen39, Trojan.Siggen.64617, Trojan.Win32.FakeAV.zrt, Trojan.Win32.Generic.pak!cobra, Trojan/Win32.FakeAV.gen, UnclassifiedMalware, W32/FakeAV.ACHR, W32/FakeAV.ZRT!tr, Win-Trojan/Fakeav.321536.D, Win32:FakeAV-BCD, Win32:FakeAV-BCI, Win32.GenVariant.Kaz, Win32/Adware.SpywareProtect2009, Win32/AntivirusAction.AM, etc.
Here's another variant that I later discovered on another computer:
MD5   : a931ee4e43fb3e2651811f984bfafc0d
SHA1  : d5cb58529480fe7d4bd04e997e235591ebbe8c5b
SHA256: d1e997bff5cfadb7b27945c1c30574f8d3eea6ba9afd4a65b87187e037679248
File size : 324096 bytes
First seen: 2011-01-07 02:58:58

36/43 detection rate as of 2011-01-11 20:23:54 (UTC)

In addition to the classifications above, this variant is also identified as: Gen:Variant.Kazy.7430, Generic20.BOWF, High Risk Cloaked Malware, Riskware, Suspicious file, TR/Kazy.7430, TROJ_FAKEAV.GKR, Trojan.Agent/Gen-Frauder, Trojan.FakeAV!F3J+Da8Hqx4, Trojan.FakeAV!gen39, Trojan.FakeAV.zug, Trojan.Win32.FakeAV.zug, Trojan/Kryptik.JMP.gen, W32/FakeAV.ACHN, W32/FakeAV.ZUG!tr, Win32:FakeAV-BCI, Win32.GenVariant.Kaz, Win32/FraudAntivirusScan.F, Win32/Kryptik.JMP.Gen, etc.
I continued my investigation to try to discover the origin of the infection. Searching through the main index.dat History file, I identified a suspicious URL for a PDF file, and I searched the hard drive for that file. Sure enough, a scan on VirusTotal showed that the file was a PDF exploit, and Wepawet also identified it as suspicious. (Incidentally, the infected PC was running an old and vulnerable copy of Adobe Reader, version 9.2.0, and had not been configured for better security.) Here's the current VirusTotal analysis of the PDF, which is currently only detected by about a third of major antivirus vendors:
MD5   : 2d1eb76fde5a94b14e1436039ffb0d87
SHA1  : 441a264f5f0fc30072ab4b4f420d80b70366f645
SHA256: 74b926b64dfa4e81ec0b5883a3bdb1f82de0d0e6103b2fa6861d67805ec92ada
File size : 12458 bytes
First seen: 2011-01-06 00:04:44

16/43 detection rate as of 2011-01-06 19:57:17 (UTC)

18/43 detection rate as of 2011-01-10 17:35:49 (UTC)

Variously identified as: Exploit.AdobeReader.gen (v), Exploit.JS.Pdfka.dcq, Exploit.PDF-JS!IK, Exploit.PDF-JS.Gen, Exploit.PDF.1654, Exploit.PDF.gen, Heuristic.BehavesLike.PDF.Suspicious.I, JS:Pdfka-APU, PDF/Exploit.Pidief.PDS.Gen, PDF/Pidief!generic, PDF/Piedf.F2EB!exploit, TROJ_PIDIEF.SMZB, Troj/PDFJs-ML, etc.
Since the file was located in the browser cache (the Temporary Internet Files folder), simply emptying the cache should delete this file if it resides on your system.
After rebooting from the hard drive again, the PC could not access the Internet. I ran HijackThis and found the following registry entries which needed to be deleted:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O4 - HKCU\..\Run: [qectelup] C:\DOCUME~1\[username]\LOCALS~1\Temp\glqvcorac\poylsfolajb.exe
(For the O4 entry above, note that the path to the file inside the Temp folder will match the one where the file had previously been located on your system; it won't be named exactly as above.)

After cleaning these entries, the system was able to get online again. Note that there may be additional registry settings that should be reverted to their previous settings. This Anubis report and this ThreatExpert report show the following additional modifications to registry values:
HKCU\​Software\​Microsoft\​Internet Explorer\​Download CheckExeSignatures = no
HKCU\​Software\​Microsoft\​Internet Explorer\​Download RunInvalidSignatures = 1
HKCU\​Software\​Microsoft\​Windows\​CurrentVersion\​Policies\​Associations LowRiskFileTypes = .exe
HKCU\​Software\​Microsoft\​Windows\​CurrentVersion\​Policies\​Attachments SaveZoneInformation = 1
According to Trend Micro, it should be safe to delete the registry values highlighted in bold above (assuming you have a good understanding of how to properly edit the registry).

Following are reports for malicious sites and IPs that have recently been hosting content related to this infection and its variants:
Here's a screenshot showing the homepage of some of these fraudulent sites (courtesy of URLVoid Blog):

Antivirus Scan Proven Antivirus Protection fraud site screenshot

The computer probably wouldn't have gotten infected in the first place if it had been running the latest version of Adobe Reader configured for better security, or an alternative PDF reader.

UPDATE, 10 Jan 2011 @ 11:26 PST: Added additional malware names and current detection rates.
UPDATE, 11 Jan 2011 @ 21:38 PST: Added additional malware names and domains related to a new variant.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.