Home / malware SupportScam:Win32/Monitnev.A
First posted on 24 March 2017.
Source: MicrosoftAliases :
There are no other names known for SupportScam:Win32/Monitnev.A.
Explanation :
Arrival and Installation
This threat can use the following icons, which can make it look like an installer:
Its file properties indicate file version 0.0.0.0.
It is digitally signed but is already expired at the time of analysis.
It is run as an Event Monitor installer.
When run, it drops the following copy of itself:
%APPDATA% \Event Monitor\em.exe
It may also create the following files:
- %APPDATA% \Event Monitor\eng_em.ini
- %APPDATA% \Event Monitor\French_em.ini
- %APPDATA% \Event Monitor\German_em.ini
- %APPDATA% \Event Monitor\ininotfound0.ini
- %APPDATA% \Event Monitor\isxdl.dll
- %APPDATA% \Event Monitor\japan_em.ini
It creates the following registry entries to make sure it runs every time the PC starts:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: EMReminder
With data: "%APPDATA%\Event Monitor\em.exe -rem"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Event Monitor
Sets value: bShowCongratsAfterUpdateRestart
With data: dword:00000000
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Event Monitor
Sets value: Expired
With data: dword:00000000
Payload
Displays fake error messages
This threat monitors the Windows event log. Every time an application crashes, it displays a fake error message asking you to call a technical support number.
This threat's config files contain the fake error messages in different languages, including English, German, and Japanese. For example, the following part of the config file contains the Japanese message:
The following is the message it displays in English and German:
Analysis by Francis Tan SengLast update 24 March 2017
