Rogue ... antivirus 2009

I don't think this behaves like an AV. It only shows a "progress bar" and says it's scanning, but when you hit the button, it downloads a file. No actaul scanning.
BTW, has anyone opened the executable that gets downloaded? I only get exes that won't open, they crash on execution. At first I thought it was my super restrictive sandboxie testbox settings, but I tried on a default settings sandbox and the exe still crashes...
I'm about to run this thing unsandboxed....

 

Ummm that might be a dangerous. If you have a program that can give you a virtual partition try running it on that.

 

Of course, Returnil is always enabled... But don't worry, I was half kidding...

 

Hey has any one checked the link.Its says Nod32 Free download 100 Webspaces.sorry No link its a direct to it.Warning Second page 7th link down.

Just tested with spyware terminator Hips Warning pop up I blocked it.I then Tried again the Excutable it terminated automatically.Passed (Clean)

 

I tested with Avira Free Not a word from the Guard,Heuristic set to high. I did Not Scan with Demand.Note I just uploaded files virus total all 36 scanners say Nada (clean)

 

Hey djohn, are able to execute the file that gets downloaded?

 

I downloaded and it was running and updating in the tray.Today the fisrt time With UAC on this Time it prompt admin and password, I declined that and closed out that window. The second time with the UAC prompt it was allowed to execute with out the Ask of Admin or password it downloaded.Some confushion there,I have No clue what that was all about.

 

Now I got a working exe. Finally.
Testing it sandboxed. It flaggs firefox.exe as a Trojan and MBAM.exe as sypware LOL.
Offer to buy "full protection" doesn't work, since SBIE forbids internet access. SBIE kicking some butts!
Ok, I got bored with this. Time to terminate running process and delete sandbox.
Maybe later I'll try it in a less restricted sandbox...

 

@ Hurst,I am curious though what Does this Rogue do what harmfull are in it or is just a seed so to speak to open the door for the worst to come.If it contains any real criiters why Do AV scanners get blind by it.

 

This is because of the "onclick" parameter in the code:

Code:

<body onload="init();" onunload='return destroy();' 
onclick="return SuggestDownload();" 

The procedure used to be to use CRTL F4 to close the window, but I've seen some that won't even close at all - no matter what you do, you are in a continuous loop.

This exploit is tame compared to some from a few years back. Here, you have a Download Prompt window.

Back in 2006, for example, several exploits downloaded the malware in the background by remote code execution as soon as the person accessed the page.

Today's exploits use an animated image to fake a scan in progress. That is an "improvement" on those from past years such as this one:


__________________________________________________________________

Immediately a download began in the background, even if the user later clicked to close the page.

Using screenshots that many have taken here is a good way to teach others about this type of exploit.

I have a collection of different screenshots I show people. To some, I actually used my laptop to access the page to watch the attempted drive-by download being blocked.

If you build up a collection of screenshots to show people how these various exploits work, this will reinforce just giving them a rule, Not to respond to anything on a web site that purports to inform you that your computer is infected, or _________________ (fill in the blank). This also covers banner ads which do the same thing.

This can be a part of your training when you have a chance to work with people. In this way, they will avoid being fooled by these exploits.

----

 

Thanks ramus as always very informative.I did read about the Ctrl 4.I have to admit its very neat and clever how this exploits are done. I just wish I was that smart i would put to good use.When I first got my very own pc around 98/99 My nephew warned about porn site dangers.Well that was like putting a candy bar in front of me and tell me do not eat it.Off I went to the porn sites,talk about endless loop,I had so many popups windows open that when I closed one ten more opened. lesson learned.

 

As usual, nice post Rmus. Thanks for the info and advice. BTW, correct me if I'm wrong, but this exploit likely does not harm the pc, per say. Rather it is a type of extortionist program to fleece the misinformed of their hard earned cash?

 

Actually, you can download the freeware RogueRemover from here: http://www.malwarebytes.org/rogueremover.php This utility is very effective against 469 rogue applications. I am not sure though if it works against Antivirus 2009, but it should...!

smitfraudfix found here is another possibility.

 

Why remove it is very colorfull and did you see the detection it found.

 

You are welcome. Yes, they are very clever. Well, there is a lot of money to be made from unsuspecting victims.

I thought it is considered a money-stealing scam, but wasn't aware that it is an extortionist program. Do you mean in the sense of blackmail?

No matter how persistent the prompts, the user can still just disconnect from the internet and close the browser to get rid of it.

Unless you have something else in mind...

As far as not harming the computer, there seem to be several variants of this exploit.
Here, some changes are made to the computer:

Antivirus 2009 Hijacks The Google Web Site
http://www.bleepingcomputer.com/forums/topic154973.html

---

 

Maybe a poor choice of wording on my part Your description is correct.

Okay, so it could do some other harm as well. Thanks for the info!

 

I have read on another forum about a user who actually paid the "ransom".
Ended up with no improvement to the computer, the browser was still hijacked, the control panel still wouldn't open, a few other things not right, but the nag screen stopped.
Doesn't sound like a very good deal.

 

It doesn't seems like this thing does any critic damage or downloads any more malware (altough I'll test it in a few hour, this time granting internet access)

I noticed one thing: When I terminate the executable and after the sandbox gets deleted, that colorful tray icon was still there, until I placed the mouse over it. Then it dissapeared. It was like what happens sometimes when applications crash. Can anyone confirm this?

 

I think this is a Vista issue or Windows in general.

A lot of times -windows live messenger for example- I exit, I close it and the tray icon is still there. When I place the mouse over it, it is gone.

 

This has been happening a lot to me since SP3 on legit apps most notable with instant messengers. Might just be the case for av2009 as well even if it has already been terminated.

 

Happens here on xp SP2 too. Maybe it's about slow computers.

 

Tried on XP SP2.

It,s colorfull.

 

CFP blocks its install as there is a rule to deny any execution from temp internet files.

If I allow it, then there are too many pop ups.

 

Tried in GW. Installed fine. MBAM scan detected multiple infected items.

Killed the isolated process via GW console and deleted its files manually via GW isolated file scanner.

I run a scan of MBAM and it was clean.

 

TF- no detection on behavior base( i did not used the blacklist).

SBIE- no problems to delete it fully.