When analyzing malware, we often look for strings within the malware samples. Those give some interesting insights about the malware, its creators or the targets, for example. While poking into a fake system optimizer, after some decryption layers we also found some interesting strings:
0.System Tool…
1.2011…
2.somedomain.com…
3./install.php?affid=%s…
4.http://%s/buy.php?affid=%s…
5.iexplore.exe…
6.SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce…
7.SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall…
8.This copy of System Tool is unregistered…
9.Yes…
10.No…
11.Windows has detected spyware infection!..Click this message to install the last update of Windows security software……
12.Warning: Your computer is infected…
13.Applic ation cannot be executed. The file %s is infected…Please activate your antivir us software…
14.ThisIsPayFormClass…
15.Attention! System detected a potential hazard (TrojanSPM/LX) on your computer..that may infect executable files. Your private information and PC safety is at risk…To get rid of unwanted spyware and keep your computer safe you need to update your current security software…Click Yes to download official intrusion detection system (IDS software)…
16.Security Monitor: WARNING!…
17.http://%s…
18.Press OK to clean your PC right now…
19.WARNING!…
20.Enter Serial…
21.?affid=…
22.2??.2??.1??.??…
23.http://?????????????.com/…
24./dbg.php?affid=%s&h=%s…
25.Mozilla/4.0 (compatible; MS IE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)…
26.Content-Type: applicatio n/x-www-form-urlencoded…
27.http://????????????.biz/…
34.??.1??.5?.2??…
35.c:\mscheck.dbg…
37.Don’t stop me! I give work and money for you!…
38.%d infections cleaned. Reboot required….
39.ThIsIsReGiStErEdMuTeX…
40.qdbkprgy159eho…
41.Don’t stop me! I need some money!…
900.G41w1rkF1rm4A5Du…
999.a.
Especially funny is the string “Don’t stop me! I need some money!” which seems to get used as mutex. Also you can see some affiliate IDs which indicate that someone uses a pay-per-install-system like we reported about earlier.
The fake system optimizer claims that it needs to defrag the harddisk and that there are huge areas unreadable and the access times are greater than 500ms. This is pure BS, of course. But for less computer-savvy people this may sound compelling.
We detect this malware as TR/Crypt.ZPACK.Gen2 and constantly add new detections for new variants to improve the security of Avira users.
Moritz Kroll
Engine R&D
Dirk Knop
Technical Editor
Related Posts
- Fake System Tools Spread to Japan
Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.
Fake system d... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - The Royal Wedding and The Fake Antivirus
The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on vari... - Fake AV for mobile platform
We have seen countless number of rogue security products for Windows platform however this one is targeted to trick mobile users.The sample masquerades itself as a certain AV for mobile and ... - Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - Fake Certificate in Malware – with Message
The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade d... - Fake AV served up by phony NACHA emails
A little while ago, phishing mails claiming to be from NACHA were in circulation - it seems the phishers have had enough of that, deciding to send out malicious files instead.
The mail claims an att... - Global Spam Botnet Tracking Report (first quarter 2011)
The following data are the result of the monitoring and recording process made by spam sensors spread all around the world to provide the trend of security in terms of compromised systems. Spam sensor... - Fake AV vs. Zscaler
I've been monitoring Blackhat spam SEO for more than a year now. I frequently have to modify the scripts used to retrieve the fake AV pages in order to deal with obfuscation and other obstacles t... - 3 Tools to Scan the File System With Custom Malware Signatures
When analyzing malware discovered during a security incident, the investigator often formulates indicators of compromise (IOCs): the signs of infection that can help the enterprise determine what sys...
Posted on 22 March 2011. Tags: Fake, Messages, Optimizer, Special, system
The above information is reprinted from and copyrighted © by Avira.
