By Andrew Brandt
It’s been said that sunlight sanitizes almost everything it shines on. Beginning this week, and every week from now on, we’ll focus a concentrated beam on the rogue antivirus programs our support staff and Threat Research team have been working to remediate.
Rogues have a tendency to switch up their names, user interface, and other outward characteristics, while retaining most of the same internal functionality — and by functionality I mean the fraudulent tricks these forms of malware use to make it difficult for someone to identify them as malicious or remove them from an infected computer. It’s not as though the charlatans behind these scams (or their parents) ever made anything that was actually useful or desirable.
So for our inaugural Rogue of the Week post, we bring you notes on MS Removal Tool and XP Total Security, courtesy of Threat Research Analysts Brenden Vaughan and Stephen Ham.
MS Removal Tool
The most frequent infection this week has been the rogue security product MS Removal Tool, which is just the latest variant of the System Tool rogue. What a tool. Here’s what it looks like:
Support also mentioned seeing numerous cases of another rogue that goes by the names Windows Recovery, Windows Repair, or Windows Restore. All of these are “re-branded” versions of the same program.
None of these, obviously, are real Microsoft products, even though they use icons that look like the Microsoft Office logo:
It installs itself to the %appdata%\Microsoft folder and is extremely randomized like other System Tool variants.
It also prevents all executable files from running once the rogue starts. However, if you run a sweep while Windows is in Safe Mode, we should be able to remove the infection.
Stephen Ham found that links in spam email led to a drive-by download of MS Removal Tool. The spam messages offered a “Free Discount Card” for…something. The scammer kind of ran out of steam at that point. Thanks for sending the stuff directly to us, crimeware distributor guy. It makes our jobs a lot easier.
Rogue executable is installed to (where <random> indicates an unpredictable jumble of letters and numbers that changes each time someone installs the rogue on a computer):
C:\Documents and Settings\All users\Application Data\<random>\<random>.exe
Rogue sets start points from the following Registry location(s):
<random>= C:\Documents and Settings\All users\Application Data\<random>\<random>.exe
– Vaughan & Ham
XP Total Security
The other rogue security products our support team has primarily seen this week have been variants of the rogue with a randomized, 3-character file name. According to analysts working with the rogue, its user interface and name varies, depending on the operating system you happen to be running.
Here’s the short list of names the rogue’s authors have come up with for this scam:
|Windows XP||Windows Vista||Windows 7|
|XP Anti-Virus||Vista Anti-Virus||Win 7 Anti-Virus|
|XP Anti-Virus 2011||Vista Anti-Virus 2011||Win 7 Anti-Virus 2011|
|XP Anti-Spyware||Vista Anti-Spyware||Win 7 Anti-Spyware|
|XP Anti-Spyware 2011||Vista Anti-Spyware 2011||Win 7 Anti-Spyware 2011|
|XP Home Security||Vista Home Security||Win 7 Home Security|
|XP Home Security 2011||Vista Home Security 2011||Win 7 Home Security 2011|
|XP Total Security||Vista Total Security||Win 7 Total Security|
|XP Total Security 2011||Vista Total Security 2011||Win 7 Total Security 2011|
|XP Security||Vista Security||Win 7 Security|
|XP Security 2011||Vista Security 2011||Win 7 Security 2011|
|XP Internet Security||Vista Internet Security||Win 7 Internet Security|
|XP Internet Security 2011||Vista Internet Security 2011||Win 7 Internet Security 2011|