Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BitNefender Fake Antivirus


  • Please log in to reply
No replies to this topic

#1 T3chN0manc3r

T3chN0manc3r

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 01 January 2014 - 06:31 PM

Hey guys. I am not looking for any assistance with the removal, and was unsure of where to post for this particular issue, but I was working on a customer's machine earlier today, and they had a fake antivirus masquerading as BitNefender. Weirdest thing is though... unlike most fake AV's it didnt pop anything up on the screen and lock you down. I was unable to snag samples of this infection, but I did manage to clean the computer. This thing dumped like 16 different malicious .exe's into the syswow64 directory, and on top of that it seems to continuously reproduce itself in the %appdata% directory. by the time I got to the machine there were already 40+ directories with random names, and each directroy had a randomly named .exe inside it. Multiple .exe's in some cases. Apparently it came with some Bootkit too, but by the time I got to the case a previous tech had already pulled the bootkit so unable to ID whether it was something tied directly to its processes or if it was just something separate. In this particular situation, there was also a bad install.exe in the root of C:\, but I don't think that was related to the infection, that was likely from something else on top of it.  There were runkeys in the typical location (HKLM > Software > Microsoft > Windows > CurrentVersion > Run) (HKLM > Software > Microsoft > WindowsNT > CurrentVersion > Winlogon) (HKCU > Software > Microsoft > Windows > CurrentVersion > Run)

After pulling all of the registry keys and rebooting the machine I was able to remove the infection completely, as it no longer had any processes running. I don't really know how to reverse engineer and I suck at grabbing droppers, but I have a pretty good grasp on removing malware. Has anyone else seen this thing? My regular sites don't have a thing, and all Google brings up is BitDefender & their forums. Let me know if I posted in the wrong section guys, but would appreciate some feedback.



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users