Sunday, 27 April 2014

Lame scareware

I've found a sample yesterday downloaded via this url: skyways.co/play.exe, console application, and ugly code + scareware and third party FakeAV call center.
All the following was so lame that i need to talk about this.


 At first the malware will try to see if he's dropped into %SYSTEMROOT%/system/
If it's not the case then he will create a file:

Then, you think he will write into the new file created but nope, he add a registry persistence, by using the api CreateProcess (oh god, why) instead of using RegCreateKey:

Wrote finally the file:

Wait 5 minutes then display a message box:
"Your computer's file system has encountered a serious error. Please restart the computer or call support at 1-866-286-6162"

After a reboot, a shutdown procedure is initialized:


And 5 minutes after, once again the messagebox:


I searched the phone number on google and found this:
"Technicion is an independent provider of on-demand tech support and not affiliated with any third party"

ok, what's about the payement page:
Just 99.99 without any explanation, even the currency symbol is unknown, what a serious site.

And for the story i tried to call 1-866-286-6162 to insult them and tell them how much i hate their ugly code etc.. but there was no available representatives..

6 comments:

  1. more malware fails please !
    like you was doing before http://www.xylibox.com/2011/05/trojankillfiles.html

    ReplyDelete
  2. I love how it's actually a console application, what a moronic malware..

    but then again, fake support are morons. I once trolled one fake support guys, they tried to run a .NET registry cleaner thing (I reversed it after, it was actually a registry cleaner) on my VM without the .NET framework, of course it failed to execute, and they didn't know wtf was going on.

    Fake support guys are so stupid it's funny people fall for it.

    ReplyDelete
  3. You must have called at the wrong time, I got "Sam from technical support" in a matter of seconds.

    ReplyDelete
  4. This is indeed the most awful code seen in a while..

    ReplyDelete