By Stephen Ham and Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Windows Troubles Killer / Windows Salvage System logoThis week’s rogue, once again, mimics a system utility and not merely an antivirus product. Either way, the scam is the same: Convince the victim that their computer is broken, then coerce them to pay for useless snake oil.

These rogue system utilities go by the names Windows Troubles Killer or Windows Salvage System; They are, for all intents and purposes, identical programs which have been “skinned” with different names. They actually appear to be a hybrid rogue, carefully blending a customized mix of malarkey and baloney into some sort of shenanigans smoothie. The program claims not only to be able to scan your computer for problems with software settings and other system optimization-sounding stuff, but also to perform some sort of check of your “Computer Safety” and “Network Security.” Oh yes, and there’s an antivirus component too, just to round out the complete package.

All in all, it’s a fairly rudimentary rogue to remove (whether you choose to do it manually or use our software), but it performs some unique system modifications that disable some legitimate security software, turns off some important Windows features, mimics some of Microsoft’s own software, and generally acts as a nuisance while reducing the actual security level of an infected computer. I’ll detail those after the jump.

The software installs itself to the %appdata%Microsoft path, using a random, six-alphabetic-character filename.The icon looks like a wooden shipping crate…because there is no material known to humankind with a better reputation for strength, protection, and durability than wood, amirite?

Once installed, the rogue looks like yet another variation on the typical ransomware-type rogue app theme: It starts up with Windows, prevents the Desktop from loading, and only grants access to its “fix error” features if you pay for a license key.

The Settings tab in the rogue’s user interface has some options which allows the victim to close the app temporarily and continue loading the Desktop. But just getting to the desktop doesn’t mean you’ll be able to do anything on the computer once you get there: The rogue prevents most Windows apps from loading, such as the Task Manager, Command Prompt, or Internet Explorer.

For power users, the rogue also “detects” Microsoft’s Process Explorer as malware, and suppressed or killed other manual removal or analysis apps like HijackThis, Process Monitor, TCPView, or PEiD.

The rogue also executes itself when you reboot into Windows’ Safe Mode, sadly with no loss in functionality. In fact, when you boot into Safe Mode, the rogue displays a handy little dialog box that explains (from the perspective of an illiterate malware clown) what Safe Mode is (even though the rogue refers to it as Safe Boot).

The rogue also suppressed 3 other process viewers that I tried to use — Process Hacker, PrcView, and NirSoft CurrProcess — though it didn’t immediately suppress any of them like it did Process Explorer. Instead, the rogue allowed each process monitoring tool to run long enough until it was used to try to kill the rogue, then it tried to terminate the tool. NirSoft CurrProcess was able to kill the rogue’s process before the rogue could fight back, and the rogue did not automatically reload until Windows rebooted.

In addition to actively suppressing analysis tools, the rogue also sets several so-called IFEO (image file execution options) keys in the Registry. When the debugger value is set in any IFEO key, it launches the filename specified in that debugger value instead of the program named in the key. While IFEO keys in general serve a valid purpose, they have been abused for years by rogues and password stealers that want to prevent certain antivirus products from starting up or functioning properly.

IFEO keys are in the following location in the Registry:

HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionimage file execution options(program name)

Among the programs targeted by the rogue’s IFEO keys were Avast Firewall, Avast Antivirus, Eset Smart Security, Windows Defender (the real one from Microsoft), and Microsoft Security Essentials (msascui.exe shown above). On an infected system, these programs would fail to start after a reboot, and you’d see svchost.exe start up momentarily and then quit — if you could get to the Task Manager. The rogue also terminates the Microsoft Malware Protection Service and the Windows Defender service (if present), then sets the services to disabled so they can’t restart after a reboot.

In addition, the rogue sets the following keys that disable functionality on the system:

HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem | enablelua | 0
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem | consentpromptbehavioradmin | 0
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem | consentpromptbehavioruser | 0
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsystemrestore | disablesr HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversioninternet settings | warnonhttpstohttpredirect | 0

These keys, when set as shown above, disable User Account Controls, turn off all the prompting that happens when you try to run a program that needs administrative access, disable the System Restore feature on the computer, and stops IE from warning you when you are entering data into a form that is being submitted to an unsecured HTTP Web site — for example, the order form for Trouble Killer/Salvage System.Webroot blog stats

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This