According to S!Ri
Fake AVG Anti-Virus uses a real Antivirus solution name to mislead users.
This rogue is from the same family as Antivirus 8.
Previous Family skin was: Antivirus GT, Antivirus 7, Antivir 2010. It is not the first time this rogue takes real Antivirus names.
Note: Like you see here, the fake AVG check for a 'empty serial' but you will never see a message for say "Activation failed! Activation code is empty!" simply because in another place, there is a code who check the lenght of the textbox and if the lenght = "0" you cant push the registration button, bug.
For register the application you can use our keygen
Or do it yourself:
~ ASM
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
include C:\masm32\macros\macros.asm
includelib user32.lib
includelib kernel32.lib
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
RandomAP PROTO :DWORD,:DWORD
RandomN PROTO :DWORD,:DWORD
.const
IDD_MAIN equ 1000
IDB_EXIT equ 1001
IDC_NAME equ 1002
IDC_SERIAL equ 1005
IDB_GENERATE equ 1006
IDB_ABOUT equ 1007
.data
Rndm dd 0
b10 db "0123456789012345",0
Base26A db "ABCDEFGHIJKLMNOP",0
tab db "-",0
hc db "XYL",0
.data?
hInstance dd ?
szSerial db 100h dup(?)
szSerial2 db 100h dup(?)
szFinal db 100h dup(?)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
invoke ExitProcess, eax
DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,uMsg
.if eax == WM_INITDIALOG
invoke LoadIcon,hInstance,200
invoke SendMessage, hWnd, WM_SETICON, 1, eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if eax == IDB_EXIT
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.elseif eax == IDB_GENERATE
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcpy,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,3,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr hc
invoke lstrcat,addr szFinal,addr szSerial2
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RtlZeroMemory,addr szFinal,sizeof szFinal
.endif
.elseif eax == WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax,eax
ret
DlgProc endp
RandomAP Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset Base26A
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomAP endp
RandomN Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset b10
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomN endp
end start
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
include C:\masm32\macros\macros.asm
includelib user32.lib
includelib kernel32.lib
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
RandomAP PROTO :DWORD,:DWORD
RandomN PROTO :DWORD,:DWORD
.const
IDD_MAIN equ 1000
IDB_EXIT equ 1001
IDC_NAME equ 1002
IDC_SERIAL equ 1005
IDB_GENERATE equ 1006
IDB_ABOUT equ 1007
.data
Rndm dd 0
b10 db "0123456789012345",0
Base26A db "ABCDEFGHIJKLMNOP",0
tab db "-",0
hc db "XYL",0
.data?
hInstance dd ?
szSerial db 100h dup(?)
szSerial2 db 100h dup(?)
szFinal db 100h dup(?)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
invoke ExitProcess, eax
DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,uMsg
.if eax == WM_INITDIALOG
invoke LoadIcon,hInstance,200
invoke SendMessage, hWnd, WM_SETICON, 1, eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if eax == IDB_EXIT
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.elseif eax == IDB_GENERATE
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcpy,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,3,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr hc
invoke lstrcat,addr szFinal,addr szSerial2
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RtlZeroMemory,addr szFinal,sizeof szFinal
.endif
.elseif eax == WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax,eax
ret
DlgProc endp
RandomAP Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset Base26A
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomAP endp
RandomN Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset b10
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomN endp
end start
Resource file:
;This Resource Script was generated by WinAsm Studio.
#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006
IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake AVG Keygen"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006
IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake AVG Keygen"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
It close applications like keygen, but you can unblock it and open it again.
Then, use MBAM for remove the infection, and if you have some trouble for navigate with your browser, just rename it like "firefox.exe" call it "firefox2.exe"
No comments:
Post a Comment