ThreatFire Research Blog Home
 
 
« Readability
Snaps, Crackle, Pops or Get Your Wheatys »

Another round of rogueware

Today, we are seeing a surge in the level of ridiculous and badly written delphi malware. It’s not a part of the zlob family that we wrote about last week, but there certainly is a fakealert somewhere in there. Can you find it?:

If you haven’t heard, and apparently some of our readers haven’t, in the course of trying to run videos on your system, you may be prompted to install what is really a phony video codec. One seems to be all the rage today and was at the very end of February, prompting the user to download and run “setup_axplugin.exe”.

This setup file may have a cute avi file icon once it is downloaded, as though it is going to install an appropriate piece of software to display that wholesome video you’re trying to view:

Setup_axplugin.exe drops and runs “sysockeu.exe” and a handful other files, which copies out “mywallpaper.bmp” and reconfigures your system and desktop to display the bitmap file, along with its bad grammar and mispellings that you saw in the first screenshot above:

“WARNING! YOU’RE IN DANGER! YOUR COMPUTER IN INFECTED WITH SPYWARE!”
In turn, these guys are attempting to convince the user to install and pay for what we have been calling Vundo, another piece of “Rogueware”. It’s a trojan that doesn’t really clean up much of anything. From what we could tell, our clean lab systems that displayed this stuff weren’t really putting us in much danger at all.

This entry was posted on Monday, March 10th, 2008 at 6:43 pm and is filed under Rogueware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Another round of rogueware”

  1. Disk4mat says:
    March 13, 2008 at 1:28 am

    I come across the ‘phony video codec’ a couple times a day. Mostly from adult web sites.

Leave a Reply

Click here to cancel reply.
 

  • Blog Archive

    • March 2010
    • February 2010
    • January 2010
    • December 2009
    • November 2009
    • October 2009
    • September 2009
    • August 2009
    • July 2009
    • June 2009
    • May 2009
    • April 2009
    • March 2009
    • February 2009
    • January 2009
    • December 2008
    • November 2008
    • October 2008
    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
    • December 2007
    • November 2007
    • October 2007
    • September 2007
    • August 2007

  • Search This Blog

  • RSS Subscribe Now

    • FBI IC3 2009 Report
    • FakeAv Antivirus XP 2010
    • Troyak-AS De-peered for Good?

  • Categories

  • About ThreatFire

    ThreatFire™, features innovative real-time behavioral protection technology that provides powerful standalone protection or the perfect complement to traditional signature-based antivirus programs.

    ThreatFire's patent-pending ActiveDefense™ technology offers unsurpassed protection against both known and unknown zero-day viruses, worms, trojans, rootkits, buffer overflows, spyware, adware and other malware.

    Learn more...

  • Blogroll

    • A.M. Infosec
    • AV-Comparatives
    • iAntivirus
    • Mind Streams of Information Security Knowledge
    • Symantec Security Response
    • Tech Thoughts
    • ThreatExpert

  • Links

    • AMTSO
    • AV-Test
    • ICSA Labs
    • PC Tools
    • PC Tools is on Facebook
    • Reconstructer
    • ThreatExpert
    • ThreatFire
    • Uninformed
    • Virus Bulletin
 
Subscribe to:
Posts (Atom) 		Entries (RSS) and Comments (RSS).