pátek 24. února 2012

Rogue:Win32/Rudoct


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Aug 31, 2010

Aliases
  • Sus/Behav-1021 (Sophos)
  • PC Defender (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.89.708.0
Released: Aug 31, 2010


 

Summary

Rogue:Win32/Rudoct is a rogue scanner that imitates an antivirus program and displays misleading alerts in an attempt to coax the affected user to purchase it.
 
Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late.  These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.  Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. 
 
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.


 

Symptoms

Symptoms vary among different distributions of Rogue:Win32/Rudoct, however, the presence of the following system changes (or similar) may indicate the presence of this program:
  • Presence of the following files, or similar (for example):

    %ProgramFiles%\Def Group\PC Defender\pcdef.exe
  • %ProgramFiles%\Def Group\PC Defender\proccheck.exe
    %ProgramFiles%\Def Group\PC Defender\prockill32.exe
    %ProgramFiles%\Def Group\PC Defender\prockill64.exe
    %ProgramFiles%\Def Group\PC Defender\rundelay.exe
    %ProgramFiles%\Def Group\PC Defender\uninstall.bat 
  • Presence of the following registry modifications or similar (for example):
  • Sets value: "EnableLUA"
    With data: "00, 00, 00, 00"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
     
    Sets value: "AntiVirusDisableNotify"
    With data: "01, 00, 00, 00"
    To subkey: HKLM\SOFTWARE\Microsoft\Security Center
     
    Sets value: "AntiVirusOverride"
    With data: "01, 00, 00, 00"
    To subkey: HKLM\SOFTWARE\Microsoft\Security Center
    Sets value: "PC Defender"
    With data: "%ProgramFiles%\Def Group\PC Defender\pcdef.exe"
    To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     
    Sets value: "Userinit"
    With data: "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\pcdef.exe"
    To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Display of the following images/dialogs, or similar (for example):

  •  
     
     


 

Technical Information (Analysis)

Rogue:Win32/Rudoct is a rogue scanner that imitates an antivirus program and displays misleading alerts in an attempt to coax the affected user to purchase it.
Installation
Rogue:Win32/Rudoct may be installed by other malware such as a trojan downloader. The rogue may be installed silently or without user intervention, and may display as a newly installed program in the 'All Programs' menu on the Start menu. 
 
In the wild, we have observed one sample displaying an icon resembling Adobe Flash, as in the following example:
 
 
Rogue:Win32/Rudoct may be present as the following files:
 
  • %ProgramFiles%\Def Group\PC Defender\pcdef.exe - detected as Rogue:Win32/Rudoct
  • %ProgramFiles%\Def Group\PC Defender\proccheck.exe - detected as Trojan:Win32/Emuni.A
  • %ProgramFiles%\Def Group\PC Defender\prockill32.exe - detected as Trojan:Win32/Emuni.A
  • %ProgramFiles%\Def Group\PC Defender\prockill64.exe - detected as Trojan:Win32/Emuni.A
  • %ProgramFiles%\Def Group\PC Defender\rundelay.exe - detected as VirTool:Win32/Prolonc.A
  • %ProgramFiles%\Def Group\PC Defender\uninstall.bat 
 
The components "prockill32.exe" and "prockill64.exe" are used by the rogue to terminate certain processes that may run on 32-bit and 64-bit versions of Windows.
 
The component "rundelay.exe" functions as a timer to restart the computer so the rogue will run at next Windows start. The component is run with the following parameters:
 
%ProgramFiles%\Def Group\PC Defender\rundelay.exe "shutdown -r -t 0" 1
 
Rogue:Win32/Rudoct makes the following registry modifications to ensure its execution at each Windows start:
 
Sets value: "PC Defender"
With data: "%ProgramFiles%\Def Group\PC Defender\pcdef.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Sets value: "Userinit"
With data: "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\pcdef.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Displays fake alerts and fake scan results
When the rogue executes, it simulates scanning the local drive.
 
 
 
Rogue:Win32/Rudoct displays fake alerts.
 
 
The rogue periodically displays alerts from the system tray.
 
 
On occasion, Rogue:Win32/Rudoct simulates blue screen stop error, and may display an error message such as the following:
 
"The exception unknown software exception (0x00000029) occurred in the application at location 0x6bd6e"
 
The rogue restarts the computer periodically.
 
At random intervals, the rogue may display an image containing adult content with a fake alert of detected malware, such as the following examples:
 
 
 
Lowers security settings
The rogue also makes the following registry modifications in order to lower Windows security settings.
 
Sets value: "EnableLUA"
With data: "00, 00, 00, 00"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
 
Sets value: "AntiVirusDisableNotify"
With data: "01, 00, 00, 00"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
 
Sets value: "AntiVirusOverride"
With data: "01, 00, 00, 00"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
 
Analysis by Patrick Nolan

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.