Home / malwarePDF  

Zentom System Guard


First posted on 06 September 2011.
Source: SecurityHome

Aliases :

There are no other names known for Zentom System Guard.

Explanation :

Zentom System Guard is a variant of Rogue:Win32/FakeYak - a family of fake antivirus products that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
Top

Zentom System Guard is a variant of Rogue:Win32/FakeYak - a family of fake antivirus products that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.



Installation

Rogue:Win32/FakeYak may be installed by a dropper file. This file creates a subdirectory in %APPDATA% with a name based on various system properties and places a copy of the malware in that directory. The directory name consists of 32 hexadecimal digits (digits 0-9 and letters a-f). The file name used for the malware is constant for any given dropper file. Examples of file names used include the following:

  • 24ceedefin.exe
  • 45avs87hck.exe
  • 56avmd10100ctrl.exe
  • 67atrbin87ctr.exe
  • STATlavsstr70.exe
  • Tgsrvmdctrl.exe
  • Tk70ccreloc.exe
  • accchainld4.exe
  • agibck70dl.exe
  • akf46poir.exe
  • ans24hexmod.exe
  • ansi70sepmod.exe
  • antihckrdl.exe
  • antrsub700f.exe
  • ap334ssolib.exe
  • app234socklib.exe
  • apsbv446duo.exe
  • arg70techsdk.exe
  • asecpp70.exe
  • asp70vdviss.exe
  • avres10100binclt.exe
  • avsc87hck.exe
  • avsvmdctrl.exe
  • b705mvn0set.exe
  • bagn70dol.exe
  • bin24mvlsr1.exe
  • bnstss700mano.exe
  • cafbine70mps.exe
  • candek700mem.exe
  • cefint46lod.exe
  • dlupdt6kc.exe
  • e124codecset.exe
  • fdebckalias70.exe
  • fghmook70.exe
  • fincap34lb.exe
  • ftbret24lt0.exe
  • gss700optbin.exe
  • hmod70twindl.exe
  • ht124megaurd.exe
  • itt28bgrmod.exe
  • k70ccreloc.exe
  • lavsstr70.exe
  • loc24eetr0.exe
  • mllsic70nb.exe
  • netbac24ss0.exe
  • ost26winnidesk.exe
  • r24upldoc.exe
  • r24upldss1.exe
  • reb700casdll.exe
  • satdll70snn.exe
  • sd727decksp.exe
  • sdd236updnte.exe
  • secureisodll75.exe
  • setui70vir.exe
  • sfmoc700init.exe
  • simc124mods.exe
  • sklnis234slot.exe
  • sock46pch.exe
  • sokdrt700.exe
  • sorttp700.exe
  • tassib700lib.exe
  • teps234uivan.exe
  • teps236bitacc.exe
  • tmpsys26css1.exe
  • tpg46unitlc.exe
  • tprdbl24cc.exe
  • tr700lqqcore.exe
  • trsin24pob.exe
  • tun70uidop.exe
  • ugh24xbitgu.exe
  • ugh26vbitgu.exe
  • ut70mbd0pps.exe
  • vsc87hck.exe
  • vvt705sync0pat.exe
  • vystar24cc0.exe
  • webctldrun.exe
  • y24copslibe.exe
  • zlib31resi.exe


An example install location might be %AppData\b68987eb23713612e50c2474798899d1\mllsic70nb.exe.

The dropper then launches the newly installed malware. This creates the following files in the same directory as itself:

  • enemies-names.txt
  • local.ini
  • lsrslt.ini
  • hookdll.dll


The first three of these files contain messages displayed by the fake scanner, and details of the malware that it supposedly detects.

It creates the following link files in order to place an icon on the desktop, add itself, and an uninstall link to the Start Menu, add itself to Quick Launch, and to add itself to the Startup Menu:

  • %DESKTOPDIRECTORY%\Zentom System Guard.lnk
  • %STARTMENU%\Zentom System Guard.lnk
  • %PROGRAMS%\Zentom System Guard\Zentom System Guard.lnk
  • %PROGRAMS%\Zentom System Guard\Uninstall.lnk
  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Zentom System Guard.lnk
  • %STARTUP%\Zentom System Guard.lnk


Note: The uninstall link simply launches a copy of the malware without uninstalling it.

The desktop shortcut resembles the following:



It also creates the following registry entry in an attempt to ensure that it runs upon system startup, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <malware filename>
With data: <full path of malware>

For the above example, it would create the following:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "mllsic70nb.exe"
With data: %APPDATA\b68987eb23713612e50c2474798899d1\mllsic70nb.exe

It also stores status and configuration information under the following registry key:

HKCU\Software\Zentom System Guard Inc\Zentom System Guard\



Payload

Displays fake antivirus scanner

When run, the malware performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program in order for it to do so.







If the user attempts to remove the threats, they are informed that they need to register the product in order to do so.





It displays messages such as the following if the user attempts to ignore the threats or back out of registration.





It may also display dialogs and pop-up such as the following in an attempt to convince the users that their systems are infected.











It may also display a fake Security Center.





If the user clicks any of the links in the above window, it will display its activation dialog box.

Monitors keyboard and mouse events

The hookdll.dll component hooks the keyboard and mouse, which allows it to record keystrokes and mouse clicks.



Analysis by David Wood

Last update 06 September 2011

 

TOP

Malware :