CleanThis is a fake security application (and a ThinkPoint, Palladium Pro clone)
The rogue detects fake infections, prevents legit softwares execution, displaying alert messages to scare users.
According to VirusTotal this sample is detected by just three AntiVirus: https://www.virustotal.com/file-scan/report.html?id=27eb412b15445b87ee8b35e419ce6147b69b4d623d6ce66a7993a331b8a0c708-1300493133
This rogue is located in %appdata% with the name "gog.exe" if not, check for a icon who have the windows genuine logo.
Windows Registry Editor Version 5.00
;Xylibox 19/03/2010 - CleanThis
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-
;Xylibox 19/03/2010 - CleanThis
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-
Open a txt, copy past the script and save the file with .reg extension.
Run it and reboot.
Note for reverse engineers: How work the Anti-Virtual Machine
Get value of the key: HKLM\SYSTEM\ControlSet001\services\Disk\Enum\0
Value with VMware: SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&5fcaafc&0&000
Enter in a subroutine then in a loop for checks these words: "QEMU" "VMWARE" "VBOX" "VIRTUAL" with the grabbed value
If eax dont return "0" then a virtual machine is detected: you take the jump and BL=1
You will finish here if the jump is not taken
The 3 lasts call: 0050506A |. CALL 0050CADC
Create a registry entry for delete automatically the malware with cmd
00505072 |. CALL 0050C1D8
Launch a system shutdown
00505048 |. CALL 00405E18
Close the process
What happen now if you take the jump ?
:þ
No comments:
Post a Comment