2009年6月9日 星期二

「假」防毒軟體

防毒軟體有很多種,也有出來騙人的「假」防毒軟體。

讓我們來看看這個例子:AntivirusXP

注意:敝人於虛擬機(Shadow Defender)上執行,所以不會對實機造成影響,平時請不要在電腦上執行,否則後果自負!

一開啟就會開始掃瞄:



並顯示有多個病毒:



當你要點選Remove All時,就跳出註冊視窗:



點擊購買鍵,會連到該網站(已經移除……應該是被發現啦),Firefix的WOT顯示危險網站:



敝人試著尋找電腦中所為的「病毒」,並未發現任何檔案:



主畫面,簡潔有力:



右下角隨時顯示電腦有問題:



卻不給你關閉……



還可以更新呢,不過是騙人的,因為更新時硬碟沒有任何動作,被識破:



這算老樣本了,被多家防毒軟體偵測:

http://www.virustotal.com/analisis/ca4fe2a5c544c646858ad37f89b15a99a9776c0fed808cdf231b00215936e2c6-1244457036

a-squared 4.0.0.101 2009.06.04 Trojan.Win32.Fakeinit!IK

AhnLab-V3 5.0.0.2 2009.06.08 Win-Trojan/Fakeav.1752576

AntiVir 7.9.0.180 2009.06.08 PHISH/Fraud.XPAntivirus.aat

Antiy-AVL 2.0.3.1 2009.06.08 FraudTool/Win32.XPAntivirus

Authentium 5.1.2.4 2009.06.08 -

Avast 4.8.1335.0 2009.06.07 Win32:Trojan-gen {Other}

AVG 8.5.0.339 2009.06.08 SHeur2.MYH

BitDefender 7.2 2009.06.08 Trojan.FakeAlert.AUO

CAT-QuickHeal 10.00 2009.06.08 FraudTool.XPAntivirus.aat (Not a Virus)

ClamAV 0.94.1 2009.06.08 -

Comodo 1283 2009.06.08 ApplicUnsaf.Win32.FraudTool.XPAntiVirusPro.~SAA

DrWeb 5.0.0.12182 2009.06.08 Trojan.Fakealert.3910

eSafe 7.0.17.0 2009.06.07 Win32.Banker

eTrust-Vet 31.6.6547 2009.06.08 Win32/VMalum.ELXM

F-Prot 4.4.4.56 2009.06.08 -

F-Secure 8.0.14470.0 2009.06.08 FraudTool.Win32.XPAntivirus.aat

Fortinet 3.117.0.0 2009.06.08 Misc/XPAntivirus

GData 19 2009.06.08 Trojan.FakeAlert.AUO

Ikarus T3.1.1.59.0 2009.06.08 -

K7AntiVirus 7.10.754 2009.06.04 Non-Virus:

Kaspersky 7.0.0.125 2009.06.08 not-a-virus:FraudTool.Win32.XPAntivirus.aat

McAfee 5639 2009.06.07 -

McAfee+Artemis 5639 2009.06.07 potentially unwanted program Artemis!A3E166E3B70D

McAfee-GW-Edition 6.7.6 2009.06.08 -

Microsoft 1.4701 2009.06.08 Trojan:Win32/Fakeinit

NOD32 4137 2009.06.08 Win32/Adware.VirusIsolator

Norman 6.01.09 2009.06.05 W32/AntiVirus2008.CHT

nProtect 2009.1.8.0 2009.06.08 -

Panda 10.0.0.14 2009.06.07 Adware/AntiVirusXP2009

PCTools 4.4.2.0 2009.06.06 -

Prevx 3.0 2009.06.08 High Risk Worm

Rising 21.33.02.00 2009.06.08 AdWare.Win32.FakeAV.m

Sophos 4.42.0 2009.06.08 Troj/FakeAV-JE

Sunbelt 3.2.1858.2 2009.06.07 FraudTool.Win32.XPAntivirus.GeN

Symantec 1.4.4.12 2009.06.08 -

TheHacker 6.3.4.3.342 2009.06.08 -

TrendMicro 8.950.0.1092 2009.06.08 -

VBA32 3.12.10.6 2009.06.08 -

ViRobot 2009.6.5.1771 2009.06.05 Adware.XPAntivirus.R.1752576.B

VirusBuster 4.6.5.0 2009.06.07 Fraudtool.XPAntivirus.BCWK

佔用資源:



分析檔案:

http://www.threatexpert.com/report.aspx?md5=a3e166e3b70d9af948d055c29ac873b5

• File MD5: 0xA3E166E3B70D9AF948D055C29AC873B5

• File SHA-1: 0x0E79A28E860635B51ED24E3D20F5FFCCB2E888E0

• Filesize: 1,752,576 bytes

生成下列檔案:

%DesktopDir%\AntivirusXP.lnk

%Temp%\stylrit0.tmp

%Programs%\AntivirusXP\AntivirusXP.lnk

%ProgramFiles%\AntivirusXP\AntivirusXP.exe

生成目錄:

%Programs%\AntivirusXP

%ProgramFiles%\AntivirusXP

%ProgramFiles%\AntivirusXP\Infected

%ProgramFiles%\AntivirusXP\Suspicious

增加進程:

[filename of the sample #1][file and pathname of the sample #1]

增加註冊表:

The following Registry Key was created:

HKEY_CURRENT_USER\Software\AntivirusXP

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

AntivirusXP.exe = "%ProgramFiles%\AntivirusXP\AntivirusXP.exe"

so that AntivirusXP.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\AntivirusXP]

Autorun = 0x00000001

RegisterShellExtension = 0x00000001

CheckForUpdates = 0x00000000

QuickScanAtStartup = 0x00000001

StartMinimized = 0x00000000

ID = 0x00000001

ScanArchives = 0x00000001

ScanFiles = 0x00000001

ScanMail = 0x00000001

ScanProcesses = 0x00000001

ScanRegistry = 0x00000001

真的很好玩,騙子就站在你家門前,你卻可能渾然不知XD

本貼同步刊登於AVPClub:

http://www.avpclub.ddns.info/discuz/thread-18119-1-1.html

其餘請參考:

http://www.avpclub.ddns.info/discuz/thread-14488-1-1.html


http://www.411-spyware.com

沒有留言:

張貼留言