Name:

Fraudtool.MSRemovalTools

Added:

April 14, 2011

Type:

Fraudtool

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

When Fraudtool.MSRemovalTools is executed, it prompt a user to download a BestAntivirus.exe file.  If this file is ran, it will install a Scareware application called MS Removal Tools. 

The rogueware will do the following:

It will drop the files

%ALLUSERSPROFILE%\[random characters]\[random characters].exe (the file name and folder name will be the same)

Example:
- %ALLUSERSPROFILE%\GT24800mDiOi05500\GT24800mDiOi05500.exe
- %ALLUSERSPROFILE%\gij24500mDiOi004556\gij24500mDiOi004556.exe
- %ALLUSERSPROFILE%\dffv45vc00mDiOi896520\dffv45vc00mDiOi896520.exe
- %ALLUSERSPROFILE%\dFg24500mDiOi24500\dFg24500mDiOi24500.exe


%temp%\tmp[random single digit character].tmp

Example:
- %temp%\tmp4.tmp
- %temp%\tmp0.tmp
- %temp%\tmp8.tmp

It will also create/modify the following key:

HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce
[random characters]= "%ALLUSERSPROFILE%\[random characters]\ [random characters].exe" (the file name and folder name will be the same)

Example:
HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce
GT24800mDiOi05500="%ALLUSERSPROFILE%\GT24800mDiOi05500\GT24800mDiOi05500.exe"

HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce
gij24500mDiOi004556=" %ALLUSERSPROFILE%\gij24500mDiOi004556\gij24500mDiOi004556.exe"

Below are a few samples screenshots of the installed MS Security Tools: