Follow:

 

Rogue:Win32/Defru


Microsoft security software detects and removes this threat.

This rogue security website pretends to scan your PC for malware, and often report lots of infections. It will say you have to pay for it before it can fully clean your PC.

However, it hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the rogue. The websites use product names or logos that unlawfully impersonate Microsoft products.

Even if you do pay, it won't do anything because your PC isn't actually infected with all that malware it "found".

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The rogue copies itself to the %APPDATA% folder with a filename in the format w1ndows_<four characters>.exe, for example w1ndows_33a0.exe.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "w1ndows_<four characters>", for example "w1ndows_33a0.exe"
With data: "<path and filename of the malware>", for example "%APPDATA%\w1ndows_33a0.exe"

Upon installation, the rogue contacts the remote server at pcdefender.co.vu (82.146.48.21), which replies with a simple "OK" to confirm that the connection is working.

Payload

Redirects your browser

The rogue changes your hosts file to redirect your browser from where you want to go to a specific fake website, pcdefender.co.vu. This website is often used in social engineering by fake antivirus malware.

The following example shows the redirected page if you try to go to www.bing.com. Notice how the address bar still displays the URL for Bing.

The fake scanner will claim that one of the following files is infected:

  • AWCODC32.DLL
  • BANANA.ANI
  • BATCH.EXE
  • COMCTL31.DLL
  • D40_MS.SPD
  • DBLSPACE.BAT
  • DC2250P1.SPD
  • DCIMAN32.DLL
  • DCLPS401.SPD
  • DECPSMW4.DLL
  • E21K3.SYS
  • ELNK3.DOS
  • FONTVIEW.EXE
  • FREECELL.CNT
  • GRPCONV.EXE
  • HP1200C.ICM
  • HPIII522.SPD
  • HPJDUND.HLP

It will also say that it has detected the following malware (these are all fake)

  • Adware.Win32.Look2me
  • JS/TrojanDownloader.FraudLoad.NAQ
  • Magic DVD Ripper
  • Trojan Horse IRC
  • Trojan virtumonde
  • Trojan.Fakealert
  • Trojan.Qoologic - Key Logger
  • TrojanDownloader:JS/Renos
  • Trojan-PSW.Win32

The website promises a system clean, access to webpages, daily updates, and access to "Windows Security" and "Windows Defender", as in the following figure:

 

You will be redirected to page constantly as you browse the Internet. It targets specific websites, for the list of known websites it targets see the table in Additional information.

If you click "Pay Now", you will be taken to a payment portal called "Payeer" (payeer.com) that will display payment information. It's linked to galafinance.com – a website that displayed a "Temporary busy" message during analysis and is now offline.

 

Additional information

The following are the websites that the rogue directs your browser away from:

  • 101.ru
  • 1tv.ru
  • 2gis.ru
  • 3dnews.ru
  • 4pda.ru
  • accounts.google.com
  • adme.ru
  • admitad.com
  • afisha.mail.ru
  • afisha.ru
  • aif.ru
  • ajax.googleapis.com
  • aliexpress.com
  • allbest.ru
  • anidub.com
  • anonym.to
  • apple.com
  • ask.fm
  • astromeridian.ru
  • auto.ria.com
  • auto.ru
  • auto.yandex.ru
  • avast.com
  • avast.ru
  • avg.com
  • avia.ria.com
  • avira.com
  • avito.ru
  • baby.ru
  • babyblog.ru
  • badoo.com
  • banki.ru
  • baskino.com
  • battle.net
  • battlefield.com
  • bestkino.su
  • bigcinema.tv
  • bing.com
  • bitdefender.com
  • blizko.ru
  • bolshoyvopros.ru
  • bonprix.ru
  • bonprix.ua
  • brb.to
  • career.ru
  • championat.com
  • cityadspix.com
  • clamav.net
  • clamwin.com
  • clip2net.com
  • cloudantivirus.com
  • cnews.ru
  • comodo.com
  • comss.ru
  • coub.com
  • depositfiles.com
  • deti.mail.ru
  • dfiles.com
  • dfiles.ru
  • directadvert.ru
  • dmir.ru
  • dni.ru
  • dojki.com
  • dom.ria.com
  • dom2.ru
  • dota2.ru
  • drive.ru
  • drive2.ru
  • drom.ru
  • drweb.com
  • drweb.ru
  • dr-web.su
  • drweb.ua
  • e1.ru
  • eldorado.ru
  • enter.ru
  • eratransfers.ru
  • eset.ua
  • esetnod32.ru
  • evernote.com
  • ex.ua
  • expert.ru
  • facebook.com
  • farpost.ru
  • fastpic.ru
  • fast-torrent.ru
  • fb.com
  • filehippo.com
  • filmix.net
  • fishki.net
  • fl.ru
  • flickr.com
  • f-lite.ru
  • fontanka.ru
  • fonts.googleapis.com
  • footballhd.ru
  • forex-mmcis.com
  • forum.kaspersky.com
  • forumhouse.ru
  • fotki.yandex.ru
  • fotostrana.ru
  • f-prot.com
  • free.avg.com
  • free-av.com
  • fuxio.net
  • galafinance.com
  • games.mail.ru
  • gazeta.ru
  • get-tune.net
  • gi-akademie.com
  • gidonlinekino.com
  • go.mail.ru
  • google.am
  • google.com
  • google.com.ua
  • google.kz
  • google.ru
  • googleusercontent.com
  • habrahabr.ru
  • hdkinoteatr.com
  • heroeswm.ru
  • hh.ru
  • home.webalta.ru
  • images.yandex.ru
  • imhonet.ru
  • infox.sg
  • inosmi.ru
  • instagram.com
  • iplayer.fm
  • irecommend.ru
  • irr.ru
  • itar-tass.com
  • ivi.ru
  • izvestia.ru
  • jimdo.com
  • job.ru
  • justclick.ru
  • kakprosto.ru
  • kaspersky.com
  • kaspersky.ru
  • kinogo.net
  • kinokrad.net
  • kinopoisk.ru
  • kinozal.tv
  • kommersant.ru
  • kp.ru
  • labirint.ru
  • lady.mail.ru
  • lenta.ru
  • letitbit.net
  • lice-mer.ru
  • lifenews.ru
  • list.ru
  • litmir.net
  • live.ru
  • liveinternet.ru
  • livejournal.com
  • livejournal.ru
  • liveresult.ru
  • livetv.sx
  • livetv.tv
  • lostfilm.tv
  • loveplanet.ru
  • m24.ru
  • mail.google.com
  • mail.ru
  • mamba.ru
  • market.yandex.ru
  • marketgid.ru
  • mcafee.com
  • mediafort.ru
  • meganovosti.net
  • megogo.net
  • microsoft.com
  • minigames.mail.ru
  • mir24.tv
  • mirtesen.ru
  • mk.ru
  • mos.ru
  • moskva.fm
  • msn.com
  • music.yandex.ru
  • muzofon.com
  • mvideo.ru
  • my.mail.ru
  • my-hit.org
  • myvi.ru
  • nanoav.ru
  • neobux.com
  • new-rutor.org
  • news.sportbox.ru
  • news.yandex.ru
  • ngs.ru
  • nn.ru
  • norton.com
  • nova.rambler.ru
  • novayagazeta.ru
  • ntv.ru
  • odnoklassniki.ru
  • ojooo.com
  • ok.ru
  • onclickads.net
  • onlainfilm.ucoz.ua
  • orpoisk.ru
  • otvet.mail.ru
  • otzovik.ru
  • overclockers.ru
  • ovg.cc
  • ozon.ru
  • pandasecurity.com
  • pikabu.ru
  • pinterest.com
  • planeta-online.tv
  • playcast.ru
  • playground.ru
  • poiskm.ru
  • politikus.ru
  • popmog.com
  • pornhub.com
  • pornolab.net
  • pornoload.com
  • pravda.ru
  • prntscr.com
  • profit-partner.ru
  • prostoporno.net
  • r0.ru
  • rabota.ru
  • radikal.ru
  • railnation.ru
  • rambler.ru
  • rbc.ru
  • realty.mail.ru
  • reddit.com
  • redtube.com
  • regnum.ru
  • retre.org
  • rg.ru
  • ria.com
  • ria.ru
  • roem.ru
  • rosbalt.ru
  • rp5.ru
  • rt.com
  • rt.ru
  • ru.clamwin.com
  • ru.msn.com
  • ru.norton.com
  • rugion.ru
  • ruhelp.com
  • rusnovosti.ru
  • rusplt.ru
  • russia.rt.com
  • russia.tv
  • russianfood.com
  • russianpost.ru
  • rusvesna.su
  • rutor.org
  • rutracker.org
  • rutube.ru
  • rzd.ru
  • savefrom.net
  • sbnlife.com
  • search.qip.ru
  • searchengines.guru
  • searchengines.ru
  • seosprint.net
  • sergey-mavrodi.com
  • skladchik.com
  • smotri.com
  • snob.ru
  • soccer.ru
  • sophos.com
  • sovsport.ru
  • sportbox.ru
  • sport-express.ru
  • sprashivai.ru
  • sputnik.ru
  • srclick.ru
  • sru
  • start.qip.ru
  • start.webalta.ru
  • steamcommunity.com
  • steampowered.com
  • stoloto.ru
  • store.steampowered.com
  • subscribe.ru
  • superjob.ru
  • surfingbird.ru
  • svpressa.ru
  • svyaznoy.ru
  • symantec.com
  • t.co
  • t.ru.msn.com
  • tankionline.com
  • tfile.me
  • thepiratebay.se
  • tiu.ru
  • tjournal.ru
  • tnt-online.ru
  • topwar.ru
  • torrentino.com
  • translate.ru
  • tube8.com
  • tumblr.com
  • turbobit.net
  • tutu.ru
  • tv.yandex.ru
  • tvzavr.ru
  • twitter.com
  • ulmart.ru
  • userapi.com
  • utro.ru
  • vedomosti.ru
  • vesti.ru
  • vezuha.me
  • video.yandex.ru
  • vimeo.com
  • viruslab.ru
  • virustotal.com
  • vk.com
  • vk.me
  • vube.com
  • warthunder.ru
  • webalta.ru
  • wildberries.ru
  • wmmail.ru
  • wooman.ru
  • workle.ru
  • worldoftanks.ru
  • xhamster.com
  • xnxx.com
  • xvideos.com
  • ya.ru
  • yadi.sk
  • yahoo.com
  • yandex.com
  • yandex.net
  • yandex.ru
  • yandex.ua
  • yaplakal.com
  • yota.ru
  • youporn.com
  • youtube.com
  • zaycev.net
  • zillya.ua
  • zona.ru
  • zoomby.ru

The rogue is written in PHP and uses a PHP EXE compiler (Bambalam). 

Analysis by Daniel Chipiristeanu


Symptoms

The following could indicate that you have this threat on your PC:

  • You see the following website when browsing the Internet:


Prevention


Alert level: Severe
First detected by definition: 1.179.2328.0
Latest detected by definition: 1.187.680.0 and higher
First detected on: Aug 06, 2014
This entry was first published on: Aug 06, 2014
This entry was updated on: Aug 18, 2014

This threat is also detected as:
No known aliases