Home / malware

PDF

Win32/Defmid

First posted on 25 January 2012.
Source: Microsoft

Aliases :

Win32/Defmid is also known as Security Central (other), Antimalware Tool (other), Antivirus Center (other), Antivirus Pro (other), Internet Defender (other), Internet Protection (other), Security Defender 2011 (other), System Defender (other), Trojan.Win32.FakeAV.atuz (Kaspersky), W32/FakeAlert.CJWW (Norman), FakeAV.KKM (AVG), TROJ_FAKEALER.FR (Trend Micro), TR/FakeAV.atuz (Avira), Trojan.FakeAV (Ikarus), Trojan.Downloader.NSIS.FakeAlert.C (BitDefender), FakeAlert.a (McAfee), Security Center (other), Security Defender (other) more.

Explanation :

Rogue:Win32/Defmid is a trojan that mimics security alerts and displays messages requesting the user to purchase the rogue to fix "detected" problems that in actuality don't exist.
Top

Rogue:Win32/Defmid is a fake security scanner that claims to scan for malware and displays fake warnings of malware infections on the compromised computer. Win32/Defmid may brand itself using names such as the following:

• Security Central
• Internet Protection
• Internet Defender 2011
• Security Defender 2011
• System Defender
• Antivirus Center
• Antivirus Pro
• Antivirus Center
• Antimalware Tool

Installation
Rogue:Win32/Defmid consists of a number of different components, and depending on which component is executed, it may exhibit different behavior upon its execution. Some executable components download a DLL component, which contains all of the payload, while others drop the DLL component instead. When executed, they can display a dialog as shown below: When executed, Win32/Defmid creates a folder in the %ProgramFiles% folder with the same name as the brand name, and downloads or drops the DLL file in this location, for instance:

• %ProgramFiles%\System Defender\System Defender.dll

Win32/Defmid also creates a copy of the DLL file in the %AppData% folder using a randomly-generated file name with a AVI file extension, as well as an icon file and a data file with the same names, for example:

• %AppData%\acd7b3b0-0416-47b1-b750-a22630cb6e60_39.avi
• %AppData%\acd7b3b0-0416-47b1-b750-a22630cb6e60_39.ico
• %AppData%\acd7b3b0-0416-47b1-b750-a22630cb6e60_.mkv

A copy of the DLL is also made in the %TEMP% folder using a file name in the format "wrk<random_number>.tmp", for example, "wrk1.tmp". It also creates the following registry modification so that the DLL dropped in the Application Data folder is executed at each Windows start: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "<random name>" With data: "<system folder>\rundll32.exe "%AppData%\<random name>.avi"" Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. For example: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "acd7b3b0-0416-47b1-b750-a22630cb6e60_39" With data: "<system folder>\rundll32.exe "%AppData%\acd7b3b0-0416-47b1-b750-a22630cb6e60_39.avi"" Win32/Defmid also creates a shortcut to "%ProgramFiles%\System Defender\System Defender.dll" on the desktop:

Payload
Displays false/misleading malware alerts When a variant of Rogue:Win32/Defmid is launched, it displays an interface that pretends to scan the system for malware, similar to one of the following: It then displays the following interface claiming that a number of malware infections were detected on the computer: If the user interacts with the interface, Defmid may display the messages below, urging the user to purchase and activate the fake scanner: Win32/Defmid displays a number of dialog boxes periodically, such as those shown below: Win32/Defmid also displays a number of alerts in the system tray periodically, such as below: Win32/Defmid also adds itself to the Windows Security Center as shown below: Win32/Defmid may also periodically display fake warning messages in the user's browser when they are opening a webpage, as shown below: Downloads and executes arbitrary files As described in the Installation section, the downloading component of Rogue:Win32/Defmid contacts a certain domain to download a DLL component. Different versions of the Rogue have been observed to contact domains such as those listed below:

• croll.co.be
• lgehlecen.cz.co
• thmonosh.cz.cc
• cech.cz.cc
• nowlong.cz.cc
• koehnle.cz.cc
• jongworth.cz.cc
• wmogo.cz.cc
• lefoce.cz.cc
• hgecelm.cz.cc

Modifies computer settings Rogue:Win32/Defmid adds itself to the list of applications that are authorized to access the Internet without being stopped by Windows Firewall, by making the following registry modification: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Sets value: "<system folder>\rundll32.exe" With data: "<system folder>\rundll32.exe*:Enabled:System Defender"

Analysis by Amir Fouda

Last update 25 January 2012

 

TOP