1st Rogue Mail in 2010

Written by traversecode on January 1, 2010. Posted in Rogue Analysis

Here comes a 1^st Rogue Mail in 2010 that I’ve analyzed. When I saw this mail in my Inbox I felt like the sender gifted me for New Year ;-)

You can see the Guy wishing me Happy New Year and given a link and even the URL carries the word ‘newyear’.

Now let us click on the link to check my Gift. Hey, the URL redirects me to another website,

“hxxp://scanonlinesiteblog.com /index.php?affid=92600”. As I expected it displayed a fake scanning page with infection warning as shown in the below screenshot.

Upon clicking anywhere on the page, it downloaded “install.exe”. Information about the file is given below.

File Name: install.exe
Size: 1167872
MD5: B6A72EC829D5DED17765FF60AEBCDFB5
SHA1: 8A4B8DB29C438340A694A94E1F6913ABC0EF12AD
Virus Total Results: http://www.virustotal.com/analisis/1b1a3b11762c898d0b17f3db1ccc91cc1c0512ec396900237a5f3df6f42e5ac7-1262368521

The setup file on execution copies itself to %ALLUSERSPROFILE%\Application Data\<Random number>\<Random number>.exe, then it creates a batch file to kill itself using “taskkill /im install.exe” and self deletes from the place where it is executed.

Upon successful installation it displays below message,

Here comes the Security Tool which scanned my system and found infections which even Top 10 Antivirus did not find ;-)

And now comes Activation part. To clean the above infections I’ve to purchase the product. Let me check how much the product is? Great!! It is quiet cheaper than any other product. 2 Year license is $49.95 and Lifetime is $79.95. I don’t think any organization offers lifetime product ;-) Below I can find an option to enter my Credit card information and other information. Check the below screenshot.

Nooooooooooooooooooooo!!!!!!!!!!

I cannot purchase a Gift. Gift is meant to give it for free. So let me mail this guy to give the product for free ;-)

Trackback from your site.

Comments (6)

palaniyappan

January 27, 2010 at 9:04 PM | #

Hey buddy this rogue will do much more than what you have posted.
Analyze a malware well and then post.

Reply
- Shiv - Threat Research Analyst
  
  January 27, 2010 at 9:16 PM | #
  
  Hi Palani,
  
  Thanks for your feedback. My intention in this research is not to analyze Rogue product itself. My intention was to talk about the Mail which I received and to create awareness for the people not to click such links from such mails and how these product steal money from users. In-fact the subject would say “1st Rogue Mail in 2010″ but not “Reversing a rogue”. Please do understand the intention of posts and then comment.
  
  Reply
palaniyappan

January 27, 2010 at 10:58 PM | #

do have the sample with you…
send me live link dude..

Reply
- Shiv - Threat Research Analyst
  
  January 27, 2010 at 11:24 PM | #
  
  Unfortunately I did not save the sample with me. And the link now is dead. You can get few from Offensive Computing, MDL or other collection sources.
  
  Reply
Ruben

March 4, 2010 at 6:29 PM | #

First of all congrats for the analysis.
I completely disagree with the comment that criticize you.
This person is unethical requesting a file that could harm others and is clearly NOT a researcher or somebody from AV industry.
There is a LOT of this kind of malware-scam software out there. Maybe it is convenient to do a list naming the fake products.

Yours truly

R

Reply
- Shiv - Threat Research Analyst
  
  March 4, 2010 at 7:31 PM | #
  
  Hi Ruben,
  
  Thanks for the feedback. And the person who commented is a Researcher from AV Industry. I guess he haven’t read the blog in the Intention I have written it.
  
  As you said there are lists of such Rogue products. I would like to share this link which contains the lists of them.
  http://www.spywarewarrior.com/rogue_anti-spyware.htm
  
  Reply

Comments (6)

Leave a comment