Home / malware Rogue:Win32/Rudoct
First posted on 10 September 2010.
Source: SecurityHomeAliases :
Rogue:Win32/Rudoct is also known as Sus/Behav-1021 (Sophos), PC Defender (other).
Explanation :
Rogue:Win32/Rudoct is a rogue scanner that imitates an antivirus program and displays misleading alerts in an attempt to coax the affected user to purchase it. Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:Microsoft Security Essentials Windows Defender Windows Live safety scanner For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Top
Rogue:Win32/Rudoct is a rogue scanner that imitates an antivirus program and displays misleading alerts in an attempt to coax the affected user to purchase it. Installation Rogue:Win32/Rudoct may be installed by other malware such as a trojan downloader. The rogue may be installed silently or without user intervention, and may display as a newly installed program in the 'All Programs' menu on the Start menu. In the wild, we have observed one sample displaying an icon resembling Adobe Flash, as in the following example: Rogue:Win32/Rudoct may be present as the following files:%ProgramFiles%\Def Group\PC Defender\pcdef.exe - detected as Rogue:Win32/Rudoct %ProgramFiles%\Def Group\PC Defender\proccheck.exe - detected as Trojan:Win32/Emuni.A %ProgramFiles%\Def Group\PC Defender\prockill32.exe - detected as Trojan:Win32/Emuni.A %ProgramFiles%\Def Group\PC Defender\prockill64.exe - detected as Trojan:Win32/Emuni.A %ProgramFiles%\Def Group\PC Defender\rundelay.exe - detected as VirTool:Win32/Prolonc.A %ProgramFiles%\Def Group\PC Defender\uninstall.bat The components "prockill32.exe" and "prockill64.exe" are used by the rogue to terminate certain processes that may run on 32-bit and 64-bit versions of Windows. The component "rundelay.exe" functions as a timer to restart the computer so the rogue will run at next Windows start. The component is run with the following parameters: %ProgramFiles%\Def Group\PC Defender\rundelay.exe "shutdown -r -t 0" 1 Rogue:Win32/Rudoct makes the following registry modifications to ensure its execution at each Windows start: Sets value: "PC Defender"With data: "%ProgramFiles%\Def Group\PC Defender\pcdef.exe"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Userinit" With data: "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\pcdef.exe"To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Payload Displays fake alerts and fake scan results When the rogue executes, it simulates scanning the local drive. Rogue:Win32/Rudoct displays fake alerts. The rogue periodically displays alerts from the system tray. On occasion, Rogue:Win32/Rudoct simulates blue screen stop error, and may display an error message such as the following: "The exception unknown software exception (0x00000029) occurred in the application at location 0x6bd6e" The rogue restarts the computer periodically. At random intervals, the rogue may display an image containing adult content with a fake alert of detected malware, such as the following examples: Lowers security settings The rogue also makes the following registry modifications in order to lower Windows security settings. Sets value: "EnableLUA"With data: "00, 00, 00, 00"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system Sets value: "AntiVirusDisableNotify"With data: "01, 00, 00, 00"To subkey: HKLM\SOFTWARE\Microsoft\Security Center Sets value: "AntiVirusOverride" With data: "01, 00, 00, 00"To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Analysis by Patrick NolanLast update 10 September 2010
