A new tech support scam has been discovered that shows a fake BSOD, or Blue Screen of Death, on the infected computer and then displays an application that pretends to be a Troubleshooter for Windows. This Troubleshooter will then state that your computer cannot be fixed, blocks you from using Windows, and prompts you to purchase a program using PayPal to fix the "detected problems" and unlock the screen.
This scam was discovered by a Malwarebytes security researcher Djordje Lukic being distributed as a cracked software installer. Instead of giving access to a copyrighted program, though, it installs a tech support scam on the computer. This tech support scam is a bit different than most others I have seen because it uploads screen shots, doesn't rely on people calling a listed number, and uses PayPal for payments.
When the installer is run, it will download various executablesfrom the site hitechnovation.com and save them in various folder. It will then configure one of these files as a Windows service so that it automatically starts and modify some Registry entries to disable various hotkeys.
The files that are downloaded are:
Once the files are downloaded, the BSOD.exe program will display a fake BSOD on the desktop that states there is a problem with the system32.dll file and will begin to play an annoying beeping sound over and over.
The Troubleshoot.exe program will then launch and display a window called Troubleshooting Windows. This program pretends to be a windows troubleshooter that states that the computer is missing ".dll registry files" and prompt you to begin troubleshooting the computer.
When you proceed with the fake troubleshooting, it will pretend to perform a scan that states it is not able to fix the detected problems.
It then prompts you to either contact support using an included chat program or purchase "Windows Defender Essentials" using PayPal. When I tested the live chat support, there was no response.
The Buy Windows Defender Essentials option, though, will open a PayPal page where they request you purchase the program for $25. The page that is opened is for email@example.com PayPal account and uses this URL:
If a user makes the payment they will be redirected to http://hitechnovation.com/thankyou.txt, which contains the string "thankuhitechnovation". When the program detects this specific string, it opens a new screen that pretends to fix the problems and allows you to close the program.
As you can see this is clearly a screen locker designed to trick people into paying $25 dollars to "fix" the so-called problems and remove the program. The use of PayPal as the method of payment is a bit strange, though, as it makes it easier to track down the developers and for victim's to dispute the charges.
On a good note, the method this program uses to unlock the screen and remove the program can be easily tricked, which will be discussed in the next section.
In order to determine if a victim had made a payment via PayPal, the tech support scam will check to see if a it has opened contains the string "thankuhitechnovation". If it does, it will pretend that the problems are fixed and then allow you to close the program.
The way the developers intended this to work is that a victim makes a PayPal payment, and when successful, they are redirected to a page under their control that contains the above string and then triggers the shutdown phase of the scam.
Thankfully, as this form simply embeds a web browser, we can use it to trick the program and get it to shut down simply by navigating to any web page that contains the required string.
To do this, when at the PayPal purchase screen, simply use the Ctrl+O keyboard combination to open a dialog box that asks you what page you want to open as shown below.
Now enter the page http://hitechnovation.com/thankyou.txt, or any other page that just contains the string thankuhitechnovation and the program will think the victim paid and shut itself down.
Another nasty feature of this tech support scam is that it will generate a screenshot of the victim's active screen and upload it to a FTP server at 188.8.131.52 using hard coded credentials.
It is not known what this screenshot may be used for, but could be for blackmail depending on what was on the screen, identity theft, or for detecting security researchers.
Correction 11/30/17: I attributed the discovery of this malware to the wrong person. It was originally discovered by Djordje Lukic.
adwizz.exe: 5becf86e5ad1703345fa243458f6a3b6189619f87e67ffab6bc874d6bdf7c03f BSOD.exe: 9a95f7e477cede36981a6a1e01a849d9c6aeac3985ee3a492cf4136bb6dab69c csrvc.exe: 1b1e48f2ee9940c1965c00ee1226fd7c3b9ee9c179ba29b9aeb586c6211cb223 scshtrv.exe: 0cc8ad791dc4061ce1f492d651ed2a9baeed02413c5940240bf47bb023f509ef Troubleshoot.exe: f34185d5124690815f089b06cc1629a3d1a42cd7d51aee602823c98e03116a98
http://hitechnovation.com/Extra/Downloads/BSOD.exe http://hitechnovation.com/Extra/Downloads/csrvc.exe http://hitechnovation.com/Extra/Downloads/adwizz.exe http://hitechnovation.com/Extra/Downloads/Troubleshoot.exe http://hitechnovation.com/extra/downloads/scshtrv.exe http://hitechnovation.com/Extra/Downloads/Windows%20Chat%20Support.exe http://hitechnovation.com/thankyou.txt http://hitechnovation.com/Downloads/DList.txt http://freegeoip.net/xml ftp://184.108.40.206
%Temp%\csrvc\BSOD.exe %Temp%\csrvc\csrvc.exe %Temp%\csrvc\csrvc.InstallLog %Temp%\csrvc\csrvc.InstallState %Temp%\csrvc\scshtrv.exe %Temp%\csrvc\Troubleshoot.exe C:\Program Files\adwizz\adwizz.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adwizz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\csrvc HKLM\SYSTEM\CurrentControlSet\services\csrvc
Your computer is missing .dll registry files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure. Click Next to diagnose and troubleshoot the problem.
"A problem has been detected and Windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: SYSTEM32.DLL PAGE_FAULT_IN_NONPAGED_AREA If this is the first time you've seen this stop error screen, echo restart your computer. If this screen appears again, follow these steps: Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need. If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode. Technical information: *** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000) *** SYSTEM32.DLL - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c