Last week’s Bredolab post generally described the ongoing downloader’s email blasts and the malicious injector/downloader’s static and dynamic characteristics. Here are a few more screenshots of the moneymaker payload. This payload currently is the rogueware/scareware “PC AntiSpyware 2010″, which also has been distributed in a number of other ways over the past few months.

First off, users are prompted with the all-too-familiar, inaccurate and scary taskbar balloon “Your Computer is Infected! Windows has detected spyware infection!”.

The software then pops an attractive dialog, appearing to scan the drive and find infections. So far in this screenshot it incorrectly reported 34 infections on our clean lab machine:

Even on our clean lab system, the user is also prompted with a series of phony malware detections. This one appears to be “Email-Worm.JS.Gigger”, which they claim can “reformat the user’s hard disk after reboot”:

A registration page will eventually pop up, which redirects the user to a page to register the software for a “Lifetime Software License – 89.95 USD One Time Charge“.

The home page for the site includes a set of supposed “Testimanials” and a list of award logos that they have never achieved:

This site’s installer, “installer2.exe”, is served up from a site hosted in London:
uliondarvasoka.com
216.86.144.130

As warned in the previous post, always be suspicious of attachments that arrive via email, software being delivered from web sites that don’t seem to be trustworthy, and add a behavioral layer of protection to your system.

This entry was posted on Tuesday, September 1st, 2009 at 9:21 am and is filed under Bredolab, Social Engineering, Spam, Undetected malware. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.