According to S!Ri:
Fake BitDefender 2011 uses a real Antivirus solution name to mislead users.
This rogue is from the same family as Fake E-Set Antivirus 2011, Fake AVG Anti-Virus, Antivirus 8.
Previous Family skin was: Antivirus GT, Antivirus 7, Antivir 2010. It is not the first time this rogue takes real Antivirus names.
VT: http://www.virustotal.com/file-scan/report.html?id=2e7ffb3abe5dabc443669d4e698f55bf642bb1b22957f4c317c56cf890a0055d-1303403611
The Fake BitDefender 2011 rogue detects and display fake infections to scare users pushing them into buying a license.
To register (and help removal), copy paste this code: BKI14-HJP10-IKO78-OBK894-XYL77
~ ASM
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
include C:\masm32\macros\macros.asm
includelib user32.lib
includelib kernel32.lib
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
RandomAP PROTO :DWORD,:DWORD
RandomN PROTO :DWORD,:DWORD
.const
IDD_MAIN equ 1000
IDB_EXIT equ 1001
IDC_NAME equ 1002
IDC_SERIAL equ 1005
IDB_GENERATE equ 1006
IDB_ABOUT equ 1007
.data
Rndm dd 0
b10 db "0123456789012345",0
Base26A db "ABCDEFGHIJKLMNOP",0
tab db "-",0
hc db "XYL",0
.data?
hInstance dd ?
szSerial db 100h dup(?)
szSerial2 db 100h dup(?)
szFinal db 100h dup(?)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
invoke ExitProcess, eax
DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,uMsg
.if eax == WM_INITDIALOG
invoke LoadIcon,hInstance,200
invoke SendMessage, hWnd, WM_SETICON, 1, eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if eax == IDB_EXIT
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.elseif eax == IDB_GENERATE
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcpy,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,3,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr hc
invoke lstrcat,addr szFinal,addr szSerial2
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RtlZeroMemory,addr szFinal,sizeof szFinal
.endif
.elseif eax == WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax,eax
ret
DlgProc endp
RandomAP Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset Base26A
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomAP endp
RandomN Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset b10
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomN endp
end start
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
include C:\masm32\macros\macros.asm
includelib user32.lib
includelib kernel32.lib
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
RandomAP PROTO :DWORD,:DWORD
RandomN PROTO :DWORD,:DWORD
.const
IDD_MAIN equ 1000
IDB_EXIT equ 1001
IDC_NAME equ 1002
IDC_SERIAL equ 1005
IDB_GENERATE equ 1006
IDB_ABOUT equ 1007
.data
Rndm dd 0
b10 db "0123456789012345",0
Base26A db "ABCDEFGHIJKLMNOP",0
tab db "-",0
hc db "XYL",0
.data?
hInstance dd ?
szSerial db 100h dup(?)
szSerial2 db 100h dup(?)
szFinal db 100h dup(?)
.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
invoke ExitProcess, eax
DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,uMsg
.if eax == WM_INITDIALOG
invoke LoadIcon,hInstance,200
invoke SendMessage, hWnd, WM_SETICON, 1, eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if eax == IDB_EXIT
invoke SendMessage, hWnd, WM_CLOSE, 0, 0
.elseif eax == IDB_GENERATE
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcpy,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomAP,3,addr szSerial
invoke RandomN,3,addr szSerial2
invoke lstrcat,addr szFinal,addr szSerial
invoke lstrcat,addr szFinal,addr szSerial2
invoke lstrcat,addr szFinal,addr tab
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RandomN,2,addr szSerial2
invoke lstrcat,addr szFinal,addr hc
invoke lstrcat,addr szFinal,addr szSerial2
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
invoke RtlZeroMemory,addr szSerial,sizeof szSerial
invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
invoke RtlZeroMemory,addr szFinal,sizeof szFinal
.endif
.elseif eax == WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax,eax
ret
DlgProc endp
RandomAP Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset Base26A
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomAP endp
RandomN Proc Length_:DWORD,OutPut:DWORD
mov ecx,Length_
mov esi,offset b10
mov edi,OutPut
.repeat
invoke GetTickCount
add Rndm,eax
add Rndm,'abcd'
mov eax,Rndm
rol Rndm,4
and eax,0Fh
mov al,byte ptr [esi+eax]
stosb
dec ecx
.until ecx == 0
Ret
RandomN endp
end start
Resource file:
;This Resource Script was generated by WinAsm Studio.
#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006
IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake BitDefender 2011 *KeyGen*"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006
IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake BitDefender 2011 *KeyGen*"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
Thanks to lelenina for the sample ;)
Edit 21 Apr 2k11: Sample was repacked: http://www.virustotal.com/file-scan/report.html?id=0ecfc26c4c442ee04bcb53ea2f841166233dac7d9c2ebda01d781f990a4781d5-1303403931
According to VirusTotal the sample is now detected by two Antivirus.
Nice video Xylibox!
ReplyDeleteCan you post the sample of the Fake BitDefender 2011?
Yoh !!!!!!!!!!!!
ReplyDeletei ALMOST had a HEART ATTACK
I Though the Actual BitDefender.com was A FAKE
yesas thank god BitDefender.com is a real ANTIVIRUS
I BOUGHT IT IN 2007 and ENJOYED IT ^___^
THUMBS UP PEOPLE