Seeing Triple?

And here we thought our vision was bad the other day when we were dizzy from seeing double.

And here we thought our vision was bad the other day when we were dizzy from seeing double.

And here we thought our vision was bad the other day when we were dizzy from seeing double.

Today and yesterday, some of our users were duped into seeing triple. Wav2008.com, sav2008.com, and vav2008.com all appear to hawk pretty much the same stuff. When we download and run each, we get the same misleading scam.
Here is a shot of the wav.exe gui after installing the product and running the scanner. The machine was infected and hundreds of malware and infected files resided on the system. The scanner claims to have found a couple cookies (which are pretty standard for any activity on the web) and some generic names:

Another window appears, reporting the 17 infections that it found and providing standard scary messages:

Any user looking to clean up the “Threats” is prompted with another dialog box for payment:

Running the setup on several other clean systems resulted in pretty much the same phony messages. The software will state that any system it is installed on is infected and payment is required to clean the infections up.
Here is a nifty control panel icon that they add, mirroring the Windows Security Center icon that is shipped by Microsoft:

One unfortunate thing that the distributors just forget to mention on the site is that uninstall functionality is missing from the free scan software, or should I say scam software. Because of this minor oversight, the software repeatedly displays nag windows to the user that a “Blaster/Sasser” attack has been detected, and multiple other infections have been found. Here is the add/remove applet on a system with the software installed, showing the lack of ease for uninstallation:

We’ll get back to this topic when we see more than a dozen at a time.

One last note on this malware’s behavior — at runtime the software sets global hooks. This activity can be a major problem when you don’t know or trust the source. Bill Mullins’ blog posted some information suggesting “There have been some reports indicating that XP Antivirus 2008 has the potential to capture and transmit personal and financial information, although this remains largely unverified”. Well, with the global hooks this software sets, the functionality is there to collect arbitrary information off the machine. We have not witnessed this software collecting arbitrary information off of the system and sending it home.

This entry was posted in Online Fraud. Bookmark the permalink.

2 Responses to Seeing Triple?

  1. Wao says:

    First, thank you for your developers’ hard work. ThreatFire is much better than its origin – Cyberhawk.

    But, there is one problem I really concern about. It’s about threat list.
    When I set the “Schedule Scan” and it finished work, TF always told me there were some threats in my system but never told me what the threats were.

    The only way I can do is re-scanning, then I know what the threats exactly are.

    I wish your dear developers can fix this problem as soon as possible.

    Thank you sincerely !
    A ThreatFire Fan

  2. ThreatFire Blogger says:

    Hi Wao, Thanks so much for the compliment. It’s good to hear from a satisfied user.

    Sorry to hear about the scanner issue you are seeing. Our qa/support team has looked at the issue and is working on it.
    Please, in the future, post support issues on the PC Tools ThreatFire forum, the link is here:
    You will get a quick response.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>