Windows Security Center - FakeAV

I tested some zero day malware 2-3 days ago. Unfortunate I deleted my virtual pc. I don’t remember the filename or the link to that FakeAV.

anyways. Semms like it could delete the windows security center service. The malware couldn’t be started after reboot but my security center was destroyed. I mean I couldn’t activate the service again because the service dissapeared.

Okay, I found it.

Here is the malware which deletes windows security center service.

password is malware. Only run it on Virtual PC, not on your normal system.

Answer would be nice.

I removed the download link to the malware for safety reasons. We do not allow links to live malware in the public part of the board.

However, when interested members you can send them the url by pm.

Okay, sorry.

So it would be great if some of you guys could test the file and tell me if it bypasses the sandbox. Just PM me.

I did a bit of testing on Win 7 in VM Ware and I ran the malware in both Internet Security and Proactive Security configurations.

Before rebooting it will disable the Windows Security Center service. It also makes its own security center lookalike and will start at rogue AV program that scans the computer. See attached image.

After reboot the rogue is no longer running and the Action Center functions again. Since it could disable the service it could have disabled it from starting with Windows.

During testing the Cloud AV started to report the program as being malicious.

[attachment deleted by admin]

I did test it in XP SP3 in VM Ware and after the reboot the security center told me the settings for the AV update were not sound (they are on notification only). They could not be changed from within the Security Center; Windows told me to try manually. Manually did not work either.

I tried switching on Intelligent Background Transfer Service but that did not help. I fixed it with a batch script that reset Windows update and reregisters all of its components.

Used VMware Player with windows 7 x64.

Security Center couldn’t be activated again after reboot. Malware didn’t start but it managed to delete the security center service like I said. It’s gone and I can’t re-enable it.

Is the Execution Control Setting set to the default ‘Partially Limited’?
try changing it to ‘Restricted’ or ‘Untrusted’ and test the malware again.

Can anybody test this with Win 7 x64? It looks like different OS versions may make a a difference here.

I have x64 windows. Send me the sample and I will test and tell you the result.

@EricJH

The file execution is blocked by Comodo as the sample is identified as Generic Trojan.

Shall I stop the realtime AV and test ?

[attachment deleted by admin]

Please add it temporarily to the AV exclusions.

I am interested to see if the malware when being run in the sandbox can make changes to the Security Center like I noticed in XP or " deletes windows security center service" on x64 like Forever1988 describes.

I turned off the realtime protection and let the file run.

D+ gave an alert that it is trying to modify c:\windows\sysWoW64\dfrgui.exe, which I deliberately allowed.

I attached the alerts that I got.

I also got a trojan blocked message, unfortunately I could not capture it.

It is c:\users\welcome\AppData\Local\pkr.exe —Trojan Generic Agent

Still, no alert from Sandbox.

After restart, the FakeAV was up and running along with the Fake Action Center warning.

Comodo did not start automatically, started fine manually but still nothing is running in Sandbox or nothing is stopped by D+.

It removed Action Center, Guest Additions too… It is even not letting me to use IE.

I tried to locate and kill this from the D±-View Active Process List, but could not find any unknown/untrusted file running.

I figured the process, it was actually trusted

c:\users\welcome\AppData\Local\bav.exe, no company name specified, but Trusted (probably in TVL)

I found mnf.exe, pkr.exe, bav.exe in the folder. I am trying to back them up.

I will add screenshots after fininishing the backup.

Meanwhile, if you want me to check anything else. I will do.

I restarted again, now all the exe files, including COMODO ones are corrupt.

Double clicking on anything, including cfp.exe, cmdagent.exe brings up an open with dialog.

I am trying to boot with a linux image, mail the saved screenshots to myself, and post here.

Could not retrieve the screenshots…Unable to communicate with VM.

I will do it again if needed.

By the way, what is the progress, the file is actually detected by cloud, but it is some how in Trusted list…

It looks like this malware can do more damage in x64 which shows that x64 is more vulnerable than x32.

There are a lot of security enhancements with the upcoming v5.8 for x64. Is there anybody out there who has x64 version of 5.8 beta running in a vm and is willing to test?

@EricJH

May be I have not specified it clearly in my posts, but I tested it in Windows 7 x64 running in virtual machine with CIS 5.8 beta installed.

Were you running Internet Security or Proactive Security configuration? Did you have “Do not show pop up alerts” enabled and set to allow? Did you make big changes to D+ settings? The reason for asking is that the malware caused a lot of harm; more than I expected.

I did not change any settings, CIS was running with defaults.

No, I did not check that box, I left it with the defaults too…

These are the only things that I did consciously.

Edit: Did the same test with Proactive Security settings, same result.

I sent egemen a pm asking to take a look at this.

Fine, please let me know if there is any improvement in the situation or I need to test it again…