BlueFlare Antivirus is a variant of Win32/FakeScanti - a family of trojans that claim to scan for malware and display fake warnings of "malicious programs and viruses". It then informs the user that he needs to pay money to register the software in order to remove these non-existent threats. The malware may also attempt to terminate processes and block access to websites.
Installation
This trojan drops the following files:
- %AppData%\BlueFlare Antivirus\BlueFlare Antivirus.exe - copy of itself
- <startup folder>\csrss.exe - monitors whether the malware files are running, and replaces and re-executes the copies if they are not
- %AppData%\BlueFlare Antivirus\csrss.exe - copy of itself
- >%AppData%\BlueFlare Antivirus\ms.conf - contains status information
- >%AppData%\BlueFlare Antivirus\Blueflare Antivirus.ico - an icon file
- <start menu>\BlueFlare Antivirus\BlueFlare Antivirus.lnk - shortcut file to the main executable
- <Desktop folder>\BlueFlare Antivirus.lnk
Note: <Start Menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'.
The shortcut link may look like the following:
Payload
Downloads and executes arbitrary files
This trojan may connect to websites such as the following:
- system-reports.com
- s-internals.com
- secure-validation.com
- cc-chargeonline.com
- ccbill-online.com
It may download an additional BHO component from these sites, which may also be detected as Rogue:Win32/FakeScanti. The downloaded file may be saved as the following:
- %AppData%\BlueFlare Antivirus\sbr32.dll
It may also download other files. In the wild, one known downloaded file is detected as Backdoor:Win32/Cycbot.B. The downloaded file is saved as a file in the Windows Temporary Files folder with a random file name.
Terminates processes
This trojan monitors running processes and attempts to terminate any process unless its file name one of the following substrings:
- *.tmp
- csrss.exe
- DllHost.exe
- IEUser.exe
- iexplore.exe
- mst.exe
- SearchProtocolHost.exe
- server.exe
- spooler.exe
- un_inst.exe
- winlogon.exe
It displays a system tray popup similar to the following:
Note that the downloaded malware is not terminated, as its file name has a .tmp extension.
Displays fake antivirus scanner
When run, the trojan performs a fake scan of the system, and falsely claims that a number of files in the computer are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program and perform the cleaning process.
It displays various windows, system tray popups, and error messages in an attempt to convince the user that their system is infected, and that they should pay to register the fake software. In some cases it greys out the background in an attempt to simulate a UAC message.
It may also simulate a system crash by displaying error messages such as the following:
Restarts the computer
This trojan occasionally restarts the computer. This may be an attempt to convince the user that the computer is infected with malware.
Blocks access to websites
This trojan may display the following error message in Internet Explorer and randomly block access to websites that the user is attempting to visit. This dialog is displayed to convince the user that the site they are visiting is malicious and that they need to take a recommended action of the attacker's choice in order to be protected:
Analysis by David Wood
