System Care Antivirus Fake Antivirus Malware | Joachim De Zutter
April 2013

Fake antivirus malware was installed after a drive-by download that used a java exploit.

Under a subdirectory of %USERPROFILE%/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/, a malicious jnlp file could be found that was downloaded from 103.13.101.32

Installed JRE version: 1.7.0_17

http://www.utrace.de/?query=103.13.101.32
Provider: ServersAustralia (Australia)

Under a subdirectory of %USERPROFILE%/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/, a malicious jar file could be found that was downloaded from 103.13.101.32
Filesize: 4955
MD5: 4387db4a1da8f8f68df4369f8e6d46b6
SHA1: 91ff936cca4b6380e01d9b77f11c0d068697ad5c
SHA256: 87502481da235ca9f2a5178b6941ca128a25942586a820c99b5e7d823b3c251f

The jar file contained the following files:

Filename: META-INF/MANIFEST.MF
MD5: 5ab6e8c1614a2b9c07634caa2ff37a47
SHA1: 3e7a48d2315f967e5dc1230e9f3171fd12cea8ce
SHA256: 68cd270e61b34bea2bef7c8c2c2500bf7bb503edd5ea0e4073a884a35ee5b193

Filename: Abc.class
Filesize: 11566
MD5: 34eb0ed78403ba93a51c2e0374bc0166
SHA1: 69568d33afde3cc0b657697af11783eb40464cf1
SHA256: 6e4c3ee4a321543064083ab742af485606dd1c1d093ea0e2b23cd7fce0f909ce

Filename: a.class
Filesize: 548
MD5: 95abd0acf90b6d7c412a33ba36e9390d
SHA1: 637f2ba6c91e95bd744f87368a15cc667dceb299
SHA256: 831acc64b462c4fc1a5915d39be63da27e7f23d4c7517045e011ffeeb218247a

Filename: b.class
Filesize: 167
MD5: 1517417d028a0e793839032dbe236738
SHA1: 3841eb327f5840affcda73b48b24b26ced5a84cc
SHA256: edfdd8873e5625e9557a527f03fdcc51bafb333ddd7584cb0a753b3b4e7d269a

Filename: c.class
Filesize: 152
MD5: bd679b55bc810e44afad581841d7bb53
SHA1: a4180cf015e5f03a4377899dbbce9149f58cbfa1
SHA256: dc2b23547c3b459cdec88385c7a068b5ed36d1085ccabdb65eb307c47f19dc9c

29th of April 14:11 the following executables were executed:
Filename: %USERPROFILE%\APPDATA\LOCAL\TEMP\~TMP9111852193901827510.EXE
Filename: %USERPROFILE%\APPDATA\LOCAL\TEMP\46D2.EXE
Filename: %USERPROFILE%\APPDATA\LOCAL\TEMP\538F.EXE

Filename: C:\ProgramData\7AB3F7E966DDF29100007AB37D3CF9A1\7AB3F7E966DDF29100007AB37D3CF9A1.exe
Filesize: 450560
MD5: 074ee5bb91af421b1d5deef9bebaafce
SHA1: 70a9183b6b96398400e4b3f62c116f7b77f56ec6
SHA256: 6328a3cda829d147450be40242713dfaddde78f1b48e8a7962cfc7d206e42a91

The executable with MD5 074ee5bb91af421b1d5deef9bebaafce established an HTTP connection with 175.41.29.181

http://www.utrace.de/?query=175.41.29.181
Provider: Canton Rd (Hong Kong)

Filename: C:\ProgramData\7AB3F7E966DDF29100007AB37D3CF9A1\7AB3F7E966DDF29100007AB37D3CF9A1
Filesize: 6048
MD5: 7cc7b4e282e4787872e21c646e7810d1
SHA1: a43a127c95e46091d36d63c8978f3e45d88c21ed
SHA256: 0c47fb1b9b8494cb4a8b0eebf5f3f399180c5a6b288a0a3df53766b86be37653

Filename: C:\ProgramData\7AB3F7E966DDF29100007AB37D3CF9A1\7AB3F7E966DDF29100007AB37D3CF9A1.ico
Filesize: 9662
MD5: 4b22ba76647377cf755bd6cc83ad5a64
SHA1: bc4c79b412c9d97c12bb682a99c0811df1fe73de
SHA256: b54fa776f2adfd97e0d7336ef655e8b80c3ce93544a54fa71603cbd101a9bc74

The fake antivirus added a shortcut to its executable in the Start Menu and on the Desktop.




Fake antivirus: "Security Monitor: WARNING!
Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk.
To get rid of unwanted spyware and keep your computer safe you need to update your current security software.
Click Yes to download official intrusion detection system (IDS software)."

Fake antivirus: "Warning: Your computer is infected
Detected spyware infection!
Click this message to install the last update of security software..."








Fake antivirus: "System Care Antivirus
Are you sure? Continue unprotected?"




Fake antivirus: "This version of System Care Antivirus is for evaluating purposes only. The removal features are disabled. You may scan your PC to locate malware/spyware threats. To be able to remove threats, you should register System Care Antivirus.
To register System Care Antivirus click Get License.
If you have already purchased the license please stay connected to the Internet, turn of your firewall and enter the Registration key you received.
Enter Details
Finally click Activate"





Fake antivirus: "This copy of System Care Antivirus is unregistered."



Fake antivirus: "System Care Antivirus Warning System Care Antivirus has detected harmful software in your system.
We strongly recommended you to register System Care Antivirus to remove these threats immediately."

Trying to uncheck the "Start with Windows" checkbox shows a nagscreen to activate the fake antivirus instead of stopping the fake antivirus from starting with Windows.



Fake antivirus: "System Care Antivirus Warning Spyware.IEMonster activity detected. This is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs. Click here to remove it immediately with System Care Antivirus."





Fake antivirus is blocking execution of other executables: "WARNING! Application cannot be executed. The file taskmgr.exe is infected.
Please activate your antivirus software."

The fake antivirus did not start with Windows when Windows was started in Safe Mode (after pressing F8 during boot).



After restarting Windows in Safe Mode regedit.exe could be executed (Start - Run - regedit.exe) to find the registry key that was used for starting the fake antivirus under My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\. After deleting the key, the fake antivirus was no longer executed when Windows was started normally.

The fake antivirus did not appear in the list of installed software under "Add or Remove Programs" in Control Panel.