Developers of the Rogues Virus Doctor and My Supervisor accidentally gave us a toy to play with

Sometimes when analyzing a new malware you run into something that is just fun to play with. Last night I had this opportunity with two new rogues called Virus Doctor and My Supervisor, both being from the same developer. At another site, a member named Remixed tipped me off to a program called Virus Doctor that could be a new rogue. After visiting the link, examining the web page, and looking up info on the registrar I decided to fire up the executable and see if the program actually classified as a rogue or not. After installing Virus Doctor, I noticed that though it looked like a rogue, it was not showing any false positives when scanning my test computer. Digging deeper I found some URLs embedded in the executable that allowed me to download what appears to be a development version of the program. When I say Development version it means that the normal skin for this program has been replaced with one that contains extra buttons that allow us to trigger events that would normally have been shown randomly. The events that it allowed me to trigger were ads for another rogue program, displaying fake security alerts, and to display nag screens.

Having access to a dev version of a rogue software provides a bit of insight into how the developers are trying to scam the infected users. When a legitimate anti-malware program finds a security problem, it too may display an alert to notify you. On the other hand, we have always known that rogues issue these alerts randomly and without valid information behind them. Having a dev version of a rogue that allows us to trigger these events just validates that the developers are attempting to do one thing and only one thing; scam the infected user into thinking they should purchase their software. They do this by hard coding scary messages about infections, keyloggers, and spam. These messages contain variables that the program can change each time the nag screen or alert is shown so that it looks a bit more authentic. The fact that the programs has buttons to trigger these events means that the events are not being displayed based upon a specific criteria of the machine it is running on, but rather what the developers pre-coded it to display.

Embedded below is an video showing the development versions of both Virus Doctor and My Supervisor. My Supervisor is explained in more detail after the video.



As you may have noticed from the video, one of the buttons on the Virus Doctor dev screen was labeled Promo. When pressing this button the program displayed a pop-up that displayed an advertisement for another program created by the same developers called My Supervisor. If you click on the button in this pop-up, Virus Doctor will download and install My Supervisor. My Supervisor is another rogue program that is packaged as a system optimization suite. When the program is installed it will create a variety of services such as an autoruns manager, a service manager, disk doctor, registry repair, and privacy guard. Just like Virus Doctor, this program will display a variety of false results in order to have you purchase the program. This version of the program is a dev version as well, which further enabled us to trigger various events in the program.

Though having these development versions of the rogues does not necessarily tell us anything we do not already know, it does shed some light into the development process for rogue software and how they deliberately attempt to trick their users. I hope you enjoyed this article and the video as much as I enjoyed writing it. If you are infected with either of these programs, then please use the removal guide below:

My Supervisor is the most professional-looking rogue I have ever seen. The pop-ups look more professional than AntiVirus 2009's.

Why do rogue developers put alert buttons all over a developer version? Are they used to test any alerts? What would happen if you pressed "Google"?

LloydT:

I'm not exaclty a programmer, but I'm guessing that they put it there so that they can test it by executing it manually instead of having it execute automatically (of course, this is purely a guess). If I understand things right from what I know of programming, it's just as simple just to delete the button and make a slight modification to the code to have it automatically execute after a load command (such as the "onLevelLoaded" command in Torque Script).

.....actually, what the heck am I saying? I'm not a programmer.....so I'll shut up right here.

But still.......it's kind of funny to see the dev version of that rogue program

And now I'll shut up.

Edited by scff249, 03 February 2009 - 07:46 PM.

Sometimes I wonder why these buggy programs even get put out. I know it's malware.. but seriously. That kind of shoddy work is great for us... but still, somtimes I wonder what malware authors are thinking.

Billy3

They are sloppy, end of story. We found the urls before they were ready to go live and didn't expect people to get their executables yet.

Oh certainly I enjoyed this Grinler, thank you!

Great article Grinler!!!
thanks....