Tuesday, September 22, 2009

"Windows PC Defender" Malware and Malicious Site Reports

Windows PC Defender malware iconThere's a lot of fake ("rogue") antivirus malware in the wild, as I've mentioned previously.  Sometimes it's relatively easy to remove; just kill the process with Windows Task Manager (press Ctrl-Shift-Esc, click on the malicious process e.g. pav.exe, and click End Process) and then delete the offending executable file.  Yesterday I came across a new variant of "Windows PC Defender" and was surprised at how many changes it made to the system.  Not only were there HOSTS file and search engine modifications, but the malware also effectively disabled Windows Task Manager—and even McAfee VirusScan Enterprise, which unfortunately failed to detect the new malware before being disabled by it.

What heinous malware sorcery was needed to disable a major corporate antivirus product?  Nothing more than a simple registry hack.  Several application file names were added to the following location in the registry, with svchost.exe set as the debugger (which effectively prevented all processes with those file names from running at all):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Although McAfee didn't stop the malware and was subsequently disabled by the infection, Spybot-Search & Destroy was able to find some—but not all—of the registry modifications (the entries that Spybot found were identified as Hupigon13, Win32.Agent.tdd, Win32.Delf.uv, and Win32.VB.PW infections).  Spybot's findings pointed me in the right direction so I could manually find and remove some of the other registry changes.  A partial list of disabled applications can be found at the ThreatExpert link below.  When cleaning this or a similar infection, you can safely delete any entries with "svchost.exe" set as the debugger.  Note that if regedit.exe is disabled by this hack, you can just make a copy of it on your desktop and rename it to something else, e.g. regedit-works-now.exe, and then open the renamed copy.  You can find the original at C:\WINDOWS\regedit.exe on your hard drive, or look in the I386 folder on your Windows installation disc.

HijackThis pointed out that there were HOSTS file infections.  Several Google domains were being forced to resolve to 206.53.61 .77, but even more interesting was that several domains related to other fake antivirus products were being forced to resolve to 74.125.45.100—the real Google.  (Apparently the creator of this malware didn't want any competition from certain other fake antivirus products, but I find it somewhat amusing that the malware author chose to redirect those sites to the real Google while redirecting real Google sites elsewhere; why not just redirect your competitors' sites to 206.53.61 .77 as well?)  HijackThis was unable to remove the HOSTS file infections, and FileASSASSIN was unable to delete the infected HOSTS file, so I used Spybot's file shredder utility to rename it, and then used Spybot to create a new HOSTS file in its place.  I then used GiPo@MoveOnBoot to mark the renamed infected file for removal the next time the system boots.

The malware also changed SearchScopes entries in the registry so that searches would be redirected to search-gala .com.  To clean an infected system, you will need to search the registry for "search-gala" and replace anything that looks similar to this:
hxxp://search-gala .com/?&uid=201&q={searchTerms}
...with something safe like this:
http://www.google.com/search?hl=en&q={searchTerms}

Details about the malicious executable, parts courtesy of VirusTotal:
File name and location:
C:\Documents and Settings\All Users\Application Data\090943c\WP0909.exe
File size: 2185216 bytes
MD5 : db50541ff7a46ddeb64fbccdb3bea9d9
SHA1 : 6839e11a015469255f8a1e93a058e5b35c5f74da
SHA256: 6b52a1f71544d3328720cacb7f27034826241cc6bcec33eb6f9c19c48ad3136d
6/41 detection rate upon first scan at 2009.09.22 00:20:13 (UTC)

14/41 detection rate as of 2009.09.22 17:54:05 (UTC), and McAfee and Fortinet plan to add detections for it soon

Variously identified as: Trojan.Win32.FakeVimes!IK, TR/FakeVimes.A.64, Trojan.FakeAV.SG, Trojan.Win32.FraudPack.uci, Artemis!DB50541FF7A4, Trojan.FakeVimes.A.64, Trojan:Win32/FakeVimes, Win32/Kryptik.AKT, Trj/CI.A, Mal/Basine-C, Trojan.Win32.Generic!BT, Suspicious.MH690.A, Misc/FakeAV, FakeAlert-WPS.gen.a
For more details regarding the malicious payload and associated domains, see:

In other news, last night I discovered a new fake virus scan and malware distribution site at rampir .info, which I reported to numerous malware site blacklists.  So far hpHosts, Malware Domain List, and DNS-BH have added it to their lists.  See the following reports:
Here's another of my reports that was recently published on DNS-BH, related to another black hat SEO malware campaign targeting America's Got Talent/Kevin Skinner searches, and my Web of Trust (WOT) reports for each of those domains:

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

3 comments:

  1. Adding yourself as an administrator to the hosts file itself will allow you to change the read-only permissions and then edit and save the file.

    ReplyDelete
  2. I have a question. When I delete the svchost.exe entries the computer starts an automatic shutdown and when it restarts all of svchost.exe entries thatI had previously deleted have returned. What should I do?

    ReplyDelete
  3. Hi, Chubbs:

    Processes named svchost.exe are often legitimate, while occasionally malware uses the same name to disguise itself. The real one is located at C:\WINDOWS\system32\svchost.exe as described in this Microsoft article: http://support.microsoft.com/kb/314056

    Any process with that name that's not located in the system32 folder may be malware. You can use the Advanced features of Spybot-Search & Destroy to show you the full path of each process and kill any that aren't legit. If your system still shuts down when you try to kill illegitimate processes, you may want to try cleaning the infection by booting from a clean OS. Get a friend to make you an Ultimate Boot CD for Windows (UBCD4Win) and boot from that CD and run the latest a-squared Emergency USB Stick edition. After letting a-squared remove anything it finds on your hard drive, restart and eject the CD to boot from your hard drive again. Run the free version of MBAM as well as Spybot-S&D, and do a full scan with your antivirus software, and see if they catch anything else. Hope that helps.

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)