Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.
Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.
None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the goo.gl URL shortener to lead to this FAKEAV variant’s download.
Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.
Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.
Infection Vectors
Fake diagnostic tools may arrive via several different infection vectors:
- Users visit malicious sites and manually download and install malicious files.
- Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.
The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.
System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.
Its installer uses the same icon as Windows Update.
Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.
The following gallery shows the various fake images that this malware displays:
Here are some of the other names the fake diagnostic tools use:
- Check Disk
- Defragmenter
- Disk Doctor
- Disk Optimizer
- Disk Repair
- DiskOK
- EasyScan
- FastDisk
- GoodMemory
- Hard Drive Diagnostic
- HDDControl
- HDDDefragmenter
- HDDDiagnostic
- HDDFix
- HDDHelp
- HDDPlus
- HDDLow
- HDDRecovery
- HDDRepair
- HDDRescue
- HDDTools
- MemoryFixer
- MyDisk
- QuickDefrag
- Scan Disk
- Scanner
- Smart HDD
- Support Tool 2011
- System Degragmenter
- Ultra Defragger
- Win Defrag
- Win Defragmenter
- Win Scanner
Solutions and Workarounds
Trend Micro free tools can clean systems that have been affected by System Defragmenter. However, users have to first go around one of this malware’s behaviors—monitoring the execution of applications—so that some security tools like HijackThis as well as files in the C:\Windows and C:\Program Files folder will not run and instead display the following:
Users will have to terminate the malware process first. The procedure starts by determining the file name that malware used. To do this, follow these steps:
- Right-click the shortcut (System Defragmenter) on the desktop and select Properties.
- Check and note the file name, which is usually made up of random characters. In the following screenshot, the file name used was 1181500.exe.
After taking note of the file name, open Task Manager by pressing Ctrl+Alt+Delete and use it to terminate the fake tool’s process.
Using HijackThis, take note of any or all of the registry entries that the malware added. HijackThis can then remove these entries to stop the malware from running whenever the system starts. (The suspicious entries have been enclosed in a red box.)
Our online scanner HouseCall can then be used to scan and remove the malware from the system.
Post from: TrendLabs | Malware Blog – by Trend Micro
Fake System Tools Spread to Japan
Full story: TrendLabs | Malware Blog – by Trend Micro
