Anatomy of a malware scam - The evil genius of XP Antivirus 2008

Love the title Jesper!

http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

Jesper's article includes a description of a browser hijack intended to dump its victim at a fraudware site.  It also takes a close look at the fraudware itself - its installation, its behavior after install, and how it tries to convince victims to part with their hard earned cash by purchasing the full version of the software.

And, he takes a quick look at its removal using legitimate anti-malware software.

The article is well worth a read.

Published Sat, Aug 23 2008 11:51 by sandi
Filed under: ,

Comments

# re: Anatomy of a malware scam - The evil genius of XP Antivirus 2008

Wednesday, September 17, 2008 10:11 PM by Mark in Naples

Tonight, 9-17-08, I helped a friend who was infected with "virus webprotect 2008." It was a very clever software, similar to the XP Antivirus 2008, in that it was fraudware attempting to extort money for a phoney antispyware. My friend was fooled by it's security center warning look and told his anti-spyware he trusted it. Next thing it did was put it's own background onto the desktop (through the active desktop) of a red dripping bio-hazard symbol, then it hijacked IE completely, and dropped 3 icons on the desktop. The program files were removed and the task manager blocked. There was no way to inspect the computer. I stuck in a memstick and was able to coax explorer to show me the C drive through the network connections, seemed the software writers forgot that path... I was then able to invoke system recovery and go back a few days. Recovery failed, according to it's report, but it actually rewrote enough regentries to get the permissions back and to see the program files again. From there I disabled the active desktop, reset IE, ran CCleaner, on the reg also, and found that it still hijacked IE. But the work around is to hit home or refresh to turn off the hijack. Oh, I figured on removing java completely until it was gone. Now the security program found 6 virus, 3 spyware, and 1 malware and is still counting. I'll clean up the rest tomorrow. This was a bear and took 2.5 hours to figure out. Anyone else seen this or a varient?

Mark in Naples

# re: Anatomy of a malware scam - The evil genius of XP Antivirus 2008

Sunday, September 21, 2008 12:55 PM by Mark Odell

From Page 4:

> Virtually all areas of the page, including popup3.gif, are linked through an on-click event to a function called onloadExecutable()

>[...]

> This function does nothing more than trigger a download by setting the location of the browser to a script that initiates a download.

>[...]

> If you click OK in Figure 5 it runs the onloadExecutable() function. If you click cancel or close it throws another warning, shown in Figure 6. That warning will run onloadExecutable() no matter what you do; whether you click the OK button or the red X to close it.

>[...]

> Therefore, no matter what you do, you will be prompted to download a file.

Did someone say msmvps.com/.../1645130.aspx again, NoScript saves our collective keesters!

Did someone else say windowssecrets.com/.../061026 only sites you trust to be legitimate and responsible, to run code in the browser

# security

Friday, October 24, 2008 12:22 AM by http://www.eradicatespyware.net

Thats a good stuff above..

evil xp anvirus 2008

is rogue..

i completely agree with the author..

it's not a adware but it fraudware

as it fools normal user.

i wonder if anti virus security could

take legal action.

regards

tahnkxxxx.

# re: Anatomy of a malware scam - The evil genius of XP Antivirus 2008

Thursday, October 30, 2008 5:49 PM by computer help

Interesting post, not sure I agree fully although you make some excellent points, thanks for a good read.