Last week’s Bredolab post generally described the ongoing downloader’s email blasts and the malicious injector/downloader’s static and dynamic characteristics. Here are a few more screenshots of the moneymaker payload. This payload currently is the rogueware/scareware “PC AntiSpyware 2010″, which also has been distributed in a number of other ways over the past few months.
First off, users are prompted with the all-too-familiar, inaccurate and scary taskbar balloon “Your Computer is Infected! Windows has detected spyware infection!”.
The software then pops an attractive dialog, appearing to scan the drive and find infections. So far in this screenshot it incorrectly reported 34 infections on our clean lab machine:
Even on our clean lab system, the user is also prompted with a series of phony malware detections. This one appears to be “Email-Worm.JS.Gigger”, which they claim can “reformat the user’s hard disk after reboot”:
A registration page will eventually pop up, which redirects the user to a page to register the software for a “Lifetime Software License – 89.95 USD One Time Charge“.
The home page for the site includes a set of supposed “Testimanials” and a list of award logos that they have never achieved:
This site’s installer, “installer2.exe”, is served up from a site hosted in London:
As warned in the previous post, always be suspicious of attachments that arrive via email, software being delivered from web sites that don’t seem to be trustworthy, and add a behavioral layer of protection to your system.