The Emsi Software malware research team has discoverd a new outbreak of the SystemFighter adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemFighter.

SystemFighter is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author SystemFighter also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemVeteran, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, SystemFighter will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SystemFighter Software\SystemFighter\SystemFighter.exe
• %ProgramFiles%\SystemFighter Software\SystemFighter\Uninstall.exe
• %UserProfile%\Cookies\user@systemfighter[1].txt
• %UserProfile%\Desktop\SystemFighter.lnk
• %UserProfile%\Start Menu\Programs\SystemFighter.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SystemFighter
• HKEY_LOCAL_MACHINE\software\SystemFighter
• HKEY_CURRENT_USER\software\SystemFighter
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SystemFighter”

Screenshots:

How to remove the infection of Adware.Win32.SystemFighter?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the SystemVeteran adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemVeteran.

SystemVeteran is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author SystemVeteran also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, BlockProtector, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, SystemVeteran will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
• %ProgramFiles%\SystemVeteran Software\SystemVeteran\Uninstall.exe
• %UserProfile%\Desktop\SystemVeteran.lnk
• %UserProfile%\Start Menu\Programs\SystemVeteran.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SystemVeteran
• HKEY_LOCAL_MACHINE\software\SystemVeteran
• HKEY_CURRENT_USER\software\SystemVeteran
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “SystemVeteran”

Screenshots:

How to remove the infection of Adware.Win32.SystemVeteran?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Some time ago we wrote about Zeus/Zbot who have high spread levels and have the ability to steal personal user data such as bank accounts. And now, has been found malware which has more sophisticated capabilities.

a-squared Anti-Malware identify this malicious as Bebloh (Trojan.Win32.Bebloh). Bebloh also known as URLZone, Runner, Netty, Bredavi, Bredolab, Zalup, or Kissderfrom, as seen from VirusTotal scan results below.

This Trojan Kit not only steal personal important data, but also stealing money from the user’s account directly from the victim’s computer. As many reported, many European banks have been affected by this malware, especially from Germany. Just like a Zeus/Zbot, Bebloh also need a configuration file to instruct the Bot about how much money will be stolen, and to which account it will be sent. The configuration file is created using URLZone Builder, and has been placed in Command and Control (C&C) server to be downloaded by Bot.

Once active on the victim’s computer, the trojan will make a contact with the C&C server to download the latest version. From one of the sample that we had, the trojan would make a contact with the C&C server addressed at hxxp://kissfromde.cn (visiting this web site may harm your computer).

The downloaded file will be placed in System32 directory with random name:

The executable file of this trojan is packed/encrypted. The encryption algorithm is pretty simple, as you can see here when the trojan try to decrypting its body:

Open this mutex “P0R9W05BLK8″ to check its presence on victim machine:

Then, the Bot will hook on some API at wininet.dll module to monitor internet activity. When the user try to logon into his bank account, the trojan would steal important data such as username and password for login to the account. When users perform a transaction, the transaction data will be sent to the bank server that had previously manipulated by the thief, by changing the destination account and the amount of money that will be sent. In order to unsuspecting, the trojan also manipulate information about user account and transactions, making it look like the transaction was completed successfully.

With Anti-RootKit such as RootkitUnhooker, we can see hooked API:

This malware does not allow the user to run other browsers than Internet Explorer. If users run the following browsers, Bebloh will run Internet Explorer instead:

• Chrome
• Safari
• Opera
• Netscape Navigator

It can be done because the trojan creates the following registry entries:

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe

As shown in the picture below, the trojan modified the registry to always run into Internet Explorer.

Then, how this trojan can be active when starting Windows? The trojan creates the following registry entries, register itself as Debugger, so when Windows run userinit.exe when starting Windows, it will run the trojan file.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger, %trojanfilename%

User also will not be able to see the process of malware using the Task Manager because he was trying to hide its process. The trojan enumerate process, to find the “csrss.exe” process, then inject its code.

How do I prevent the infection of this Trojan?

Always update your a-squared Anti-Malware with the latest definition. Intrusion Detection System (IDS) from a-squared Anti-Malware also can catch this malware when performing an unwanted action. As you can see the screenshot below, IDS give alert when we trying to login to banking.postbank.de on machine infected with this trojan, even for new variants that may not have signatures on the database.

How to remove the infection of Trojan.Win32.Bebloh?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the BlockProtector adware. a-squared Anti-Malware detects this malware as Adware.Win32.BlockProtector.

BlockProtector is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of BlockProtector also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockKeeper, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, BlockProtector will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\BlockProtector Software\BlockProtector\BlockProtector.exe
• %ProgramFiles%\BlockProtector Software\BlockProtector\Uninstall.exe
• %UserProfile%\Start Menu\Programs\BlockProtector.lnk
• %UserProfile%\Desktop\BlockProtector.lnk
• %UserProfile%\Cookies\user@blockprotector[1].txt

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\BlockProtector
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\BlockProtector
• HKEY_CURRENT_USER\software\BlockProtector
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “BlockProtector.exe”

Screenshots:

How to remove the infection of Adware.Win32.BlockProtector?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

The Emsi Software malware research team has discoverd a new outbreak of the BlockKeeper adware. a-squared Anti-Malware detects this malware as Adware.Win32.BlockKeeper.

BlockKeeper is a rogue scanner program, it shows a fake security center window, shows misleading scan results and fake security alerts. The author of BlockKeeper also made TheDefend, GuardPcs, IGuardPc, SiteAdware, AntiTroy, AntiKeep, AntiAdd, RESpyWare, REAnti, KeepCop, SecureKeeper, LinkSafeness, AntiAid, SystemFighter, SystemVeteran, BlockProtector, BlockScanner, BlockWatcher, SoftStronghold, ShieldSafeness, SoftVeteran, SoftSoldier,  SoftCop, TrustFighter, TrustSoldier, SafeFighter, SecureVeteran, etc, so it has same user interface, same characteristics, just a different name. To further convince victims, BlockKeeper will also create numerous junk files with random names on your computer that will be detected as malware when the program scans your computer, but will not allow you to remove them until you purchase it.

Create new files:

• %ProgramFiles%\BlockKeeper Software\BlockKeeper\Uninstall.exe
• %ProgramFiles%\BlockKeeper Software\BlockKeeper\BlockKeeper.exe
• %UserProfile%\Cookies\usr@blockkeeper[1].txt
• %UserProfile%\[USER]\Desktop\BlockKeeper.lnk
• %UserProfile%\[USER]\Start Menu\Programs\BlockKeeper.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\BlockKeeper
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\BlockKeeper
• HKEY_CURRENT_USER\software\BlockKeeper
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “BlockKeeper.exe”

Screenshots:

How to remove the infection of Adware.Win32.BlockKeeper?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.