Home / malware

PDF

Rogue:Win32/Defru

First posted on 19 August 2014.
Source: Microsoft

Aliases :

There are no other names known for Rogue:Win32/Defru.

Explanation :

Threat behavior

Installation

The rogue copies itself to the %APPDATA% folder with a filename in the format w1ndows_.exe, for example w1ndows_33a0.exe.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "w1ndows_", for example "w1ndows_33a0.exe"
With data: "", for example "%APPDATA%\w1ndows_33a0.exe"

Upon installation, the rogue contacts the remote server at pcdefender.co.vu (82.146.48.21), which replies with a simple "OK" to confirm that the connection is working.

Payload

Redirects your browser

The rogue changes your hosts file to redirect your browser from where you want to go to a specific fake website, pcdefender.co.vu. This website is often used in social engineering by fake antivirus malware.

The following example shows the redirected page if you try to go to www.bing.com. Notice how the address bar still displays the URL for Bing.



The fake scanner will claim that one of the following files is infected:

• AWCODC32.DLL
• BANANA.ANI
• BATCH.EXE
• COMCTL31.DLL
• D40_MS.SPD
• DBLSPACE.BAT
• DC2250P1.SPD
• DCIMAN32.DLL
• DCLPS401.SPD
• DECPSMW4.DLL
• E21K3.SYS
• ELNK3.DOS
• FONTVIEW.EXE
• FREECELL.CNT
• GRPCONV.EXE
• HP1200C.ICM
• HPIII522.SPD
• HPJDUND.HLP

It will also say that it has detected the following malware (these are all fake)

• Adware.Win32.Look2me
• JS/TrojanDownloader.FraudLoad.NAQ
• Magic DVD Ripper
• Trojan Horse IRC
• Trojan virtumonde
• Trojan.Fakealert
• Trojan.Qoologic - Key Logger
• TrojanDownloader:JS/Renos
• Trojan-PSW.Win32

The website promises a system clean, access to webpages, daily updates, and access to "Windows Security" and "Windows Defender", as in the following figure:



You will be redirected to page constantly as you browse the Internet. It targets specific websites, for the list of known websites it targets see the table in Additional information.

If you click "Pay Now", you will be taken to a payment portal called "Payeer" (payeer.com) that will display payment information. It's linked to galafinance.com €“ a website that displayed a "Temporary busy" message during analysis and is now offline.



Additional information

The following are the websites that the rogue directs your browser away from:

• 101.ru
• 1tv.ru
• 2gis.ru
• 3dnews.ru
• 4pda.ru
• accounts.google.com
• adme.ru
• admitad.com
• afisha.mail.ru
• afisha.ru
• aif.ru
• ajax.googleapis.com
• aliexpress.com
• allbest.ru
• anidub.com
• anonym.to
• apple.com
• ask.fm
• astromeridian.ru
• auto.ria.com
• auto.ru
• auto.yandex.ru
• avast.com
• avast.ru
• avg.com
• avia.ria.com
• avira.com
• avito.ru
• baby.ru
• babyblog.ru
• badoo.com
• banki.ru
• baskino.com
• battle.net
• battlefield.com
• bestkino.su
• bigcinema.tv
• bing.com
• bitdefender.com
• blizko.ru
• bolshoyvopros.ru
• bonprix.ru
• bonprix.ua
• brb.to
• career.ru
• championat.com
• cityadspix.com
• clamav.net
• clamwin.com
• clip2net.com
• cloudantivirus.com
• cnews.ru
• comodo.com
• comss.ru
• coub.com
• depositfiles.com
• deti.mail.ru
• dfiles.com
• dfiles.ru
• directadvert.ru
• dmir.ru
• dni.ru
• dojki.com
• dom.ria.com
• dom2.ru
• dota2.ru
• drive.ru
• drive2.ru
• drom.ru
• drweb.com
• drweb.ru
• dr-web.su
• drweb.ua
• e1.ru
• eldorado.ru
• enter.ru
• eratransfers.ru
• eset.ua
• esetnod32.ru
• evernote.com
• ex.ua
• expert.ru
• facebook.com
• farpost.ru
• fastpic.ru
• fast-torrent.ru
• fb.com

• filehippo.com
• filmix.net
• fishki.net
• fl.ru
• flickr.com
• f-lite.ru
• fontanka.ru
• fonts.googleapis.com
• footballhd.ru
• forex-mmcis.com
• forum.kaspersky.com
• forumhouse.ru
• fotki.yandex.ru
• fotostrana.ru
• f-prot.com
• free.avg.com
• free-av.com
• fuxio.net
• galafinance.com
• games.mail.ru
• gazeta.ru
• get-tune.net
• gi-akademie.com
• gidonlinekino.com
• go.mail.ru
• google.am
• google.com
• google.com.ua
• google.kz
• google.ru
• googleusercontent.com
• habrahabr.ru
• hdkinoteatr.com
• heroeswm.ru
• hh.ru
• home.webalta.ru
• images.yandex.ru
• imhonet.ru
• infox.sg
• inosmi.ru
• instagram.com
• iplayer.fm
• irecommend.ru
• irr.ru
• itar-tass.com
• ivi.ru
• izvestia.ru
• jimdo.com
• job.ru
• justclick.ru
• kakprosto.ru
• kaspersky.com
• kaspersky.ru
• kinogo.net
• kinokrad.net
• kinopoisk.ru
• kinozal.tv
• kommersant.ru
• kp.ru
• labirint.ru
• lady.mail.ru
• lenta.ru
• letitbit.net
• lice-mer.ru
• lifenews.ru
• list.ru
• litmir.net
• live.ru
• liveinternet.ru
• livejournal.com
• livejournal.ru
• liveresult.ru
• livetv.sx
• livetv.tv
• lostfilm.tv
• loveplanet.ru
• m24.ru
• mail.google.com
• mail.ru
• mamba.ru
• market.yandex.ru
• marketgid.ru
• mcafee.com
• mediafort.ru
• meganovosti.net
• megogo.net
• microsoft.com

• minigames.mail.ru
• mir24.tv
• mirtesen.ru
• mk.ru
• mos.ru
• moskva.fm
• msn.com
• music.yandex.ru
• muzofon.com
• mvideo.ru
• my.mail.ru
• my-hit.org
• myvi.ru
• nanoav.ru
• neobux.com
• new-rutor.org
• news.sportbox.ru
• news.yandex.ru
• ngs.ru
• nn.ru
• norton.com
• nova.rambler.ru
• novayagazeta.ru
• ntv.ru
• odnoklassniki.ru
• ojooo.com
• ok.ru
• onclickads.net
• onlainfilm.ucoz.ua
• orpoisk.ru
• otvet.mail.ru
• otzovik.ru
• overclockers.ru
• ovg.cc
• ozon.ru
• pandasecurity.com
• pikabu.ru
• pinterest.com
• planeta-online.tv
• playcast.ru
• playground.ru
• poiskm.ru
• politikus.ru
• popmog.com
• pornhub.com
• pornolab.net
• pornoload.com
• pravda.ru
• prntscr.com
• profit-partner.ru
• prostoporno.net
• r0.ru
• rabota.ru
• radikal.ru
• railnation.ru
• rambler.ru
• rbc.ru
• realty.mail.ru
• reddit.com
• redtube.com
• regnum.ru
• retre.org
• rg.ru
• ria.com
• ria.ru
• roem.ru
• rosbalt.ru
• rp5.ru
• rt.com
• rt.ru
• ru.clamwin.com
• ru.msn.com
• ru.norton.com
• rugion.ru
• ruhelp.com
• rusnovosti.ru
• rusplt.ru
• russia.rt.com
• russia.tv
• russianfood.com
• russianpost.ru
• rusvesna.su
• rutor.org
• rutracker.org
• rutube.ru
• rzd.ru
• savefrom.net

• sbnlife.com
• search.qip.ru
• searchengines.guru
• searchengines.ru
• seosprint.net
• sergey-mavrodi.com
• skladchik.com
• smotri.com
• snob.ru
• soccer.ru
• sophos.com
• sovsport.ru
• sportbox.ru
• sport-express.ru
• sprashivai.ru
• sputnik.ru
• srclick.ru
• sru
• start.qip.ru
• start.webalta.ru
• steamcommunity.com
• steampowered.com
• stoloto.ru
• store.steampowered.com
• subscribe.ru
• superjob.ru
• surfingbird.ru
• svpressa.ru
• svyaznoy.ru
• symantec.com
• t.co
• t.ru.msn.com
• tankionline.com
• tfile.me
• thepiratebay.se
• tiu.ru
• tjournal.ru
• tnt-online.ru
• topwar.ru
• torrentino.com
• translate.ru
• tube8.com
• tumblr.com
• turbobit.net
• tutu.ru
• tv.yandex.ru
• tvzavr.ru
• twitter.com
• ulmart.ru
• userapi.com
• utro.ru
• vedomosti.ru
• vesti.ru
• vezuha.me
• video.yandex.ru
• vimeo.com
• viruslab.ru
• virustotal.com
• vk.com
• vk.me
• vube.com
• warthunder.ru
• webalta.ru
• wildberries.ru
• wmmail.ru
• wooman.ru
• workle.ru
• worldoftanks.ru
• xhamster.com
• xnxx.com
• xvideos.com
• ya.ru
• yadi.sk
• yahoo.com
• yandex.com
• yandex.net
• yandex.ru
• yandex.ua
• yaplakal.com
• yota.ru
• youporn.com
• youtube.com
• zaycev.net
• zillya.ua
• zona.ru
• zoomby.ru

The rogue is written in PHP and uses a PHP EXE compiler (Bambalam).



Analysis by Daniel Chipiristeanu

Symptoms

The following could indicate that you have this threat on your PC:

• You see the following website when browsing the Internet:
  
  

Last update 19 August 2014

 

TOP