Malware Install Hides Behind Fake Blue Screen Of Death

| | Comments (2)
This is a particularly strange hijack that typically begins with the following file opened up from the web:

sys0.jpg


If the file is allowed to execute on the PC, you may well see the dreaded Blue Screen Of Death (or BSOD to its friends).

However, all is not what it seems. While the end-user is faced with the horrors of the BSOD, behind the scenes Malware is installing by the bucketload.How is this possible, I hear you cry? Surely if the PC has crashed, nothing can be installing?

Not in this case, because the blue screen of death is fake - to be more accurate, the bad guys have taken Sysinternals blue screen of death screensaver and bundled it in with the hijack files. This is what the .scr file looks like on the PC:

sys1.jpg


And this is what you see if you explore the code:

sys2.jpg


It seems the bad guys are not without a sense of humour. Hiding a blizzard of infection file installs behind a legitimate screensaver created by a security expert is pretty bizarre. Here is the registry entry created:

sys6.jpg

Meanwhile, here are just some of the files installed onto the PC during the download:

sys5.jpg

Click to Enlarge

The PC pretty much grinds to a halt while all of this is taking place:

sys7.jpg


When the computer finally comes back under your contol, you can expect to see numerous warnings related to fake antispyware programs appearing all over the desktop:

sys8.jpg

Click to Enlarge

sys9.jpg

Click to Enlarge

sys10.jpg


Collectively, we detect the various bundles on offer here as Fake.AV and Smiddy.

Discovery and Research: Chris Mannon, FSL Senior Threat Researcher

2 Comments

Hi, this seems to be very popular lately in the last couple months. I'm based in northwest Ohio, and working on computers every day for a small shop, I have gotten at least one infected PC per week for the past month or two now.

Antivirus XP 2008, as well as Antivirus 2009, Vista Antivirus 2008/2009, seem to be the most common, but I've seen literally a dozen different fake programs, all with different names, but all with the same purpose, which is to take your money and mess up your PC.

After performing the removal of the files, is there any other precautions you should take, other than not downloading strange files? Usually all the customers I get have an up to date anti virus or anti spyware program of some type, and of course everyone says that they have no idea how they have gotten infected. With the infection of "drive by downloads" and infected websites being more and more common, it seems like no matter what kind of anti virus software you have, malware can still slip by your defenses if you are not vigilant in your computing.

For example, today a customer brought in a PC that had this infection. He was using AVG 8 Internet Security, the full version. AVG warned him of the trojan files and successfully quarantined most of the infected files, but he still had the fake BSOD screensaver installed, and the desktop background was changed, as well as the desktop properties, he was missing the desktop and the screensaver tabs. I fixed the background, restored the desktop properties missing tabs, and deleted the .scr file. A reboot in safe mode and a couple scans with our removal tools we use showed his computer as being clean.

Is the computer really clean? Do you have a full list of exactly what files and their locations to check for? It's pretty tough if not impossible to keep up with this just as a computer tech, let alone a security researcher like this website.

Thanks for your time.

Hey there! The big problem with infections that drop these fake AV programs is that they often also throw in a rootkit or two, banking trojans, random crapware...you name it, they try and hit you with it. As a result, it's often very difficult to know for sure what's on the PC from any given hijack where a fake AV program is concerned.

Personally, if I were ever hit with one of these hijacks, as a bare minimum precaution I'd change any online banking passwords etc. It might sound like an overreaction, but I'd rather "overreact" (if you can call having to wait on your bank to send you a new login overreacting, though I know some people who would!) than get stung with all my money vanishing.

I find the biggest reasons people get hit - if they're being honest - is that they let their AV definitions slip, they didn't bother to update Windows and they turn off essentials like firewalls when gaming, forgetting to put them back on again afterwards (or even better seeing if there's a way their firewall and game can co-exist).

Do that, run Firefox, use Thunderbird for email and there's a decent chance they won't get infected in the first place.

As far as lists of files go, again, that comes back to the tricky issue of "depends what bundle of junk" you downloaded in the first place so the list isn't exhaustive, sadly. I think there's a few good sites out there that try to list every last thing altered on a PC for many kinds of hijack, I'll try and dig some out.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on July 9, 2008 7:42 PM.

More Websites Asking For MSN Logins... was the previous entry in this blog.

Twitter Spam is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.