Win32/FakeSpyguard is a rogue security program that falsely claims that the affected machine is infected with malware. It may also attempt to imitate the Microsoft Windows Security Center.
Installation
Win32/FakeSpyguard may be downloaded and installed by a component that displays a window similar to the following example:
This component copies itself to %COMMONAPPDATA%\winlogon.exe and sets a registry entry to run it at each system start:
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: CTEMON.EXE
With data: “"%COMMONAPPDATA%\winlogon.exe" /h”
It also writes the following harmless file:
- %COMMONAPPDATA%\Microsoft\Protect\track.sys
It downloads the main trojan installer from a URL such as http://getsgd3.com/<censored>?track_id=10004
It saves this file locally with a name such as:
- %COMMONAPPDATA%\Microsoft\Protect\svhost.exe
It may also download another trojan called Trojan:Win32/Boolwark.A from a URL such as http://getsgd3.com/<censored>?track_id=10004
It saves this with a name such as:
- %COMMONAPPDATA%\Microsoft\Protect\svhost2.exe
The main installer (“svhost.exe”) creates the following files:
<system folder>\winscenter.exe
%PROGRAMFILES%\Spyware Guard 2008\vbase.vdb
%PROGRAMFILES%\Spyware Guard 2008\uninstall.exe
%PROGRAMFILES%\Spyware Guard 2008\spywareguard.exe
%PROGRAMFILES%\Spyware Guard 2008\quarantine.vdb
%PROGRAMFILES%\Spyware Guard 2008\mbase.vdb
%PROGRAMFILES%\Spyware Guard 2008\conf.cfg
%COMMONAPPDATA%\Microsoft\Internet Explorer\DLLs\moduleie.dll
%COMMONAPPDATA%\Microsoft\Internet Explorer\DLLs\<random>.dll (e.g. mnmdzcthds.dll)
%COMMONAPPDATA%\Microsoft\Internet Explorer\DLLs\ieModule.dll
%COMMONAPPDATA%\Microsoft\Internet Explorer\DLLs\c.cgm
%PROGRAMS%\Spyware Guard 2008\Uninstall.lnk
%PROGRAMS%\Spyware Guard 2008\Spyware Guard 2008.lnk
%DESKTOPDIRECTORY% \Spyware Guard 2008.lnk
It sets the following registry values to load two of the dropped DLLs automatically at Windows start:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value: ieModule
Data: “{<random CLSID>}” e.g. “{06DCFC69-990A-4D9D-9401-01DD19B66DBA}”
Key: HKCR\CLSID\{06DCFC69-990A-4D9D-9401-01DD19B66DBA}\InprocServer32
Value: (Default)
Data: “%COMMONAPPDATA%\Microsoft\Internet Explorer\DLLs\ieModule.dll”
Key: HKCR\CLSID\{06DCFC69-990A-4D9D-9401-01DD19B66DBA}\InprocServer32
Value: ThreadingModel
Data: “Apartment”
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value: InternetConnection
Data: “{<random CLSID>}” e.g. “{4ADEA908-E098-4032-826E-C4300CDA3A1C}”
Key: HKCR\CLSID\{4ADEA908-E098-4032-826E-C4300CDA3A1C}\InprocServer32
Value: (Default)
Data: “%COMMONAPPDATA%\Microsoft\Internet Explorer\DLLs\<random>.dll” (e.g. mnmdzcthds.dll)
Key: HKCR\CLSID\{4ADEA908-E098-4032-826E-C4300CDA3A1C}\InprocServer32
Value: ThreadingModel
Data: “Apartment”
It also adds an uninstall entry:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
Value: DisplayName
Data: Spyware Guard 2008
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
Value: UninstallString
Data: “%PROGRAMFILES%\Spyware Guard 2008\uninstall.exe”
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Guard 2008
Value: InstallDate
Data: “61159522430” (for example)
It also creates several “junk” files, e.g.:
C:\WINDOWS\spoolsystem.exe
C:\WINDOWS\sys.com
C:\WINDOWS\syscert.exe
C:\WINDOWS\sysexplorer.exe
C:\WINDOWS\vmreg.dll
C:\WINDOWS\reged.exe
These are not valid EXE or DLL files, but contain markers that the trojan uses to detect the files and report them as malware. They are actually harmless.
Finally, the trojan runs spywareguard.exe, its main GUI:
This component creates a registry entry so that it is also run at each Windows start:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: spywareguard
Data: “%PROGRAMFILES%\Spyware Guard 2008\spywareguard.exe”
It also creates this file:
- %PROGRAMFILES%\Spyware Guard 2008\queue.vdb
which is a log of all the files it has “scanned”.
The trojan regularly displays false warnings of malware infection:
When Internet Explorer is launched it may display the following:
The trojan installer also launches <system folder>\winscenter.exe, which displays the following:
It may also display pop-ups such as the following:
Analysis by Hamish O'Dea and Patrick Nolan