Tricks of some Rogue/Fake Antivirus

Haven’t had a chance to update in while like I have wanted to, but felt that I needed to make an effort to share some of the tricks I have had to fight lately. I see a lot of articles out there about Rogue AVs and Fake Security warnings, but unless you search specifically for the one that has grabbed you by the short hairs and not let go, you don’t see a lot of information on fighting them or even what you should watch out for when trying to fix the damage they have wrought on a machine. So I’m going to pass on a few words of wisdom, and while this may read like a general how to, bear with me, you will be rewarded with some insight that can make your fight easier. First things first, DON’T reboot the machine multiple times letting the infection dig deeper and deeper. DO disconnect it from the network, and any USB drives etc. immediately. Power the machine off, not by clicking through the Start Button in Windows, but by holding the power button in until the machine turns off. Boot up off of a recovery CD/DVD of some kind, I like to use UBCD4WIN myself, though Hiren’s BOOT CD works well too.

Since most of the Rogue AVs out there are good at hiding from anti-virus programs, you’re going to need to do a few things to make the system usable again, including scanning the system from the bootable disk. However, you first need to look in the Documents and Settings Folder, both under the All Users folder and the folder for the main user, these are hidden folders so make sure you have the ability to see hidden folders turned on. Alot of the things out there have gotten smarter and started putting files in the All Users/App Data folder to be started with Windows on boot up! This can make it a real pain when you are looking for the exe and dll files in the main user profile and not seeing anything thinking MAYBE you caught the infection before it got in, only to get sucker punched later. Some of the ones I have seen put the files in most of the user directories so that no matter who you logon as you launch the nasty little bugger again.  Standard clean up procedures apply, as I have described in one of my earlier posts, making sure to fix all the registry entries.

The nastiest new trick I have seen is the changing of ALL the folder and file permissions to be Hidden/System files. This means that Windows will boot but all the data seems to be missing from the system, and most programs will not run. There is no easy way that I know of to completely reset all the permissions, the best solution I have found is to remove the infected files, then do a System Restore from a few days previous to reset alot of the permissions. The problem with this method is that it doesn’t always reset the User Profile folders to be not hidden. Also depending on when you picked up your unwanted guest, you may have just restored it along with the folder permissions. Another nasty little trick is to change the registry entry that controls how Windows handles exe files. This means when you click on Adobe Reader on your desktop for example, it won’t launch because it is looking for your unwanted guest so it can launch IT then either launch or prevent the launching of the program you actually tried to run. I use the following to change it back, usually loaded from a USB thumb drive:

[HKEY_CLASSES_ROOT\.exe] @=”exefile”
“Content Type”=”application/x-msdownload”

[HKEY_CLASSES_ROOT\.exe\PersistentHandler] @=”{098f2470-bae0-11cd-b579-08002b30bfeb}”

[HKEY_CLASSES_ROOT\exefile] @=”Application”
“EditFlags”=hex:38,07,00,00
“TileInfo”=”prop:FileDescription;Company;FileVersion”
“InfoTip”=”prop:FileDescription;Company;FileVersion;Create;Size”

[HKEY_CLASSES_ROOT\exefile\DefaultIcon] @=”%1″

[HKEY_CLASSES_ROOT\exefile\shell] [HKEY_CLASSES_ROOT\exefile\shell\open] “EditFlags”=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @=”\”%1\” %*”

[HKEY_CLASSES_ROOT\exefile\shell\runas] [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @=”\”%1\” %*”

[HKEY_CLASSES_ROOT\exefile\shellex] [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @=”{86C86720-42A0-1069-A2E8-08002B30309D}”

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers] [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser] @=”{09A63660-16F9-11d0-B1DF-004F56001CA7}”

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps] @=”{86F19A00-42A0-1069-A2E9-08002B30309D}”

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page] @=”{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}”

This has worked (so far) every time for me in restoring the normal ability for exe’s to run. I have gotten into the habit of running this reg entry after every time I have cleaned a Rouge AV from a machine, just as a precaution as they are getting trickier to deal with. As always, you should be sure to clean out the temporary Internet files, and check for anything that may have been added to the hosts file, and run multiple scans with different updated anti-virus and anti-spyware programs before you consider a machine healthy enough to be used again. But hopefully this will give you a better insight into what you should be looking for when trying to clean these kind of infections up.

*** This is a Security Bloggers Network syndicated blog from Technomagic authored by David. Read the original post at: https://varne.wordpress.com/2011/06/21/tricks-of-some-roguefake-antivirus/