marți, 6 decembrie 2022

WindowsTool

 WindowsTOOL is a fake optimizer program or Hard drive repair program that issues annoying errors claiming that your HDD and ram are damaged and block several programs to running.

Image of his interface is looks like this 

This program as double click the virus seems to install a dll sillently and after 15 minutes trigger a payload.


Task Manager disabled upon running :
The Dll injected with several payloads and blocks certain programs like media player to act like a hard drive damaged and block most of programs from running
As you can see a fake windows error no disk displaying 
Upon Clicking on Cancel Try Again or Continue it gives more fake error about low disk space delay write failed and other:
By having those errors it stimulate a blue screen crash or a crash error to force reboot the pc .Upon reboot it display a fake safe mode with an error pop up display about windows boot failure/


By Pressing Ok button you will get into the disk diagnostics 


You cant close the disk repair until you press start so there is no way to exit this windows until you install a repair program
Now we had a rogue called Windows Tool infected no? But hard drive repair family                        

He can fix the fake safemode and replace back with the original wallpaper so the rogue it act like he repair in a fake safemode those errors bring back explorer.


He can repeat the procedure of payload showing the fake errors and at a time to crash the pc and repeat the alerts :

Until it add this error as detected : A problem detected while reading system files
You are forced to activate this program to "fix your hard drive"



Cant also uninstall the rogue only if activated and resolved and erased the payload injected in dll

Signs of a infected Payload fakesysdef in this variant is C:\Documents And Settings\(user)\Application data\R*.dll
It can put random mix of characters and inject
You need to activate this rogue so doing that :
Valid code is remembered inside of this document
Activated and well done
All errors fixed and once registred the payload dll is deinjected in this windows
:)
Enable all modules
Disable taskmanager persists but payload erased so you need to disinfect with mbam to avoid reinstalling itself when uninstall
This is a fake defragmenter stay away from fakesysdef family unlesss you had vmware virtual pc 2007 or a reserved computer or virtual box.

MD5 of the payload file is : 3df332fbfce7c3ce4846c95a06ca4656
The code used to defeat the rogue is 8475082234984902023718742058948


Publicat de la
Etichete: , , , , , ,

Niciun comentariu:

Trimiteți un comentariu

Abonați-vă la: Postare comentarii (Atom)