joi, 31 ianuarie 2019

Desktop Security 2010 - Primary Version FakeRean - Fake Antivirus

Desktop Security 2010 is a primary version that looks like Desktop Defender 2010.
And his installer interface have a green and closed and bright.

After Install he drops junk files and while scanning a voice "NEW VIRUS FOUND" Is hearing on any audio device
His Gui and perfomance issue risk high threat.
Once installed he disable legitimate security center and replace with his false alerts that pretend to be security center by saying Your computer is might be at risk :
The alerts we are meeting while other alerts saying virus alert.
Once we try to ignore it rediects to some options and activation process.
The alerts will look like this.
Will display Spyware Alert , Possible loss of data and mass mail worm

 Once we press a button there is no way to escape :


After ignore will do a unwanted payload.
More worst problems with false alerts is securitycenter.exe he create junk sounds and loud effects and flashing the screen colors and pretend that computer perfomance or something is infected by malware.It Also do a black screen for a while.
Other Alert are behave like security center unknown alert

Nothing will escape the alerts.Also this trojan was helped and sync with other exe files.
If you try to open a program like browser wmplayer mspaint bdcam and more in primary version will show a error like this:
 On pressing on OK Button or anything the scan has been started with new virus found
This Sound VIRUS FOUND it display another alerts :



This alert create a lot of junk and bad files in temp folder.
Less KB and once we try to delete or open them more errors.

And another one that show windows register license info

And After fake alerts a fake blue screen will be show.
After Reboot a hijacked winlogon shell will be right now :
The fake blue screen error will be prepared after 30 minutes of unused pc.
As part the rogue antivirus hijacks and opens a fake task manager

He use a taskmgr.dll to hijack and inject.Virus free processes are free kill and any attempt to kill a process INFECTED will rediect to activation.
And blank and other payload (Blank screen flashing and loud sound the loud sound was also hear by mixer)
The process.
The program files will look like this :
The setup file called SoftwareInstall[1].exe
MD5
14c54dc822a59ccbd436ef226ddb648b
SHA-1
87d620edf59390371066daebb86e0cc081b38c2d
SHA-256
493a1fce7927471d9c745d6bddd8aa9ce7944d3b06de64404664e243c44d3b94
 The av results are
Avira : TR/FakeAV.CD.1
F-prot W32/MalwareS.ITF
ESET ADWARE.DESKTOPDEFENDER2010.AC
Microsoft : Rogue:Win32/FakeRean
Kapersky :  Trojan.Win32.FakeAV.cd
And More.
And the activation process.Key is : LIC-1800-FE88-8788-BBED-B26C-899B-14A6-4503-4618-EB85-B7A8-371D-1097-FEBC-B41D-C2B1-7A5F
Same as antivirus solution 2010.He store this key in his registry.
 His Activation Message is changed or is primary Well

 No more annoying things so update is died.
The uninstall Process :
 We need a Key to remove the software and reset so this will work after activation.My Machine id is 92o5n9autvod
Grammar Error very idiotic.
After i debug the uninstall key for my differently machine ID 
 YAY! Here is my private uninstall key : b139228c3241c03a0b0979fde5dd6c2d
Removing This will work only on full version for security reasons.Reseting shell and remove files.
In conclunsion he have same payload as antivirus solution 2010 must go Here.
Bonus some help offline file similar to his official site and payment page
His Page Will look like this :
Video Review :
This was tested on a xp and attempt rkill fail so i see a lot of stuff like that.
I Will post more about discovered malwarerogue thing. :)
Post about upgraded soon.
Publicat de la Niciun comentariu:
Etichete: , , , , , , , ,

miercuri, 23 ianuarie 2019

Antivirus Solution 2010 - FakeRean Rogue.Contra antivirus Zaxar

Antivirus solution 2010 is a fraudulent rogue software program when he replace Desktop Defender 2010 and Desktop Security with the Antivirus studio 2010 previous rogue name.
The Installer will look like this :
 
He have a license agreement and the user cannot cancel the installation.


And it takes to be installed in a minute or 3 early :





Once installed his Interface will look like this and scan is in action.
He will not drop files to be scanned as malwares so he scan only high risk cookies or temp files.
And after scan finished or cancelled stopped this warning will be applied like this :
By continue Unprotected or something we are pushed to buy this software.
Once we are cancelling or exit this program we are warning that we are in danger :
Also we are meeting the following pop ups in our taskbar


And if we close the interface or minisize will show a popup again like that
Clicking on Clean Disinfect activate and License Key will rediects to activate window.
Update This is not free but still to activate window.
The Firewall add rule option lead to a same fake alert
Anyway he still annoy the users with fake task manager a bluescreen and other malicious stuff.
He also have glitches or mistakes
No any zaxar program will try to have a update by proxy
And Desktop Security ? Is a great mistake in a clone !
And the firewall add edit and default delete rule :
This threat is disguising so fast and he install it self and files to appdata roaming and registry key folder is Antivirus Solution 2010
The filename is security.exe and the installer is 2.64 MB
Results and hashes
MD5
458f9b649dd20ae32415aa27e00e55cc
SHA-1
55951c1f7bcd526cbdc405eac34817ba152b21c0
SHA-256
62bcd987079315a69099bb743d7f123d71f8d84c43d501daa543226b40c76db7 
34 / 41 found this threat AV Results.
Microsoft 
VirTool:Win32/Obfuscator.JY (FakeRean Rogue)
NOD32
Kryptik.HMY
Avira
TR/FakeAV.ZI
And many more...

Let's try the activation process : License key is LIC-1800-FE88-8788-BBED-B26C-899B-14A6-4503-4618-EB85-B7A8-371D-1097-FEBC-B41D-C2B1-7A5F
 Once activated this software is updating and remove threats.
REMOVAL THREATS :

After disinfection no threats found and Auto protection is ON And updating database :
After update finished i got this notification

And full access to everything on this fake antivirus.
And the uninstall is free without a uninstall key but debug require.
Uninstall process will look like this :
Videos about this rogue are Here
Rogue video Review :
 
And Cookie Detection
Thanks very much to : Andrew Mickelson for this sample that he sended using vxvault win32.malware.sample that files comes with a site : antivirus-solution2010
Publicat de la Niciun comentariu:
Etichete: , , , , , , ,
Abonați-vă la: Postări (Atom)