The Emsi Software malware research team has discoverd a new outbreak of the System Adware Scanner 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.SystemAdwareScanner2010.

System Adware Scanner 2010, come from hxxp://sysadscanner.com, is a rogue scanner program. Once installed, this application will be immediately perform scan action without prior notice. This fake scanner application tries to trick you by displaying fake warning messages and misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you buy this fraud application. Be careful with this program, because it not going to protect your computer but will only spend your money.

Their site also have a funny things. When we look at the System Adware Scanner 2010 Management Team (hxxp://sysadscanner.com/about.php), we can see this information:

This page tell us some people behind this product. Do not believe it, it’s fake! How do we know it’s fake? Let we do some search on Google from sentence that we found on that page. Example, we try to search “Dale Fuller is a leading technology executive with extensive experience in starting up and growing both technology and consumer businesses”. Then we got this results:

The first results is a page from AVG antivirus company. So, lets click it. Then,

Looks very similar hah? Now, you have proven that the System Adware Scanner 2010 Management Team is a fake!

Interested with this rogue, we decided to dig a little deeper, and loaded it into the debugger. Yep, this rogue is packed and encrypted. The run-time packer will rebuild a new unpacked PE file on the memory. Running this application on virtual environment will get no results, because it have some protection. And this is one of its protection, checking presence of VMware.

This rogue also check the presence of anti-virus/anti-malware on the victim machine, then kill them. Here’s the list (left side are encrypted, and the right side are decrypted):

The encryption algorithm is pretty simple, Caesar Cipher using a left rotation of one places.

And here’s another strings:

The last but not least, we also found this strings:

What is that? Hmmm…let’s check it:

Yes, you’re right! It is their registration key.

“System Adware Scanner 2010: Complete protection for everything you do. For only $25.95“. No, thanks!

Create new files (some name of files/directory are random):

• %SystemRoot%\system32\drivers\m4f4a0x0.sys (random)
• %AllUsersProfile%\Application Data\m4f4a0x0\m4f4a0x0 (random)
• %AllUsersProfile%\Application Data\m4f4a0x0\m4f4a0x0.exe (random)
• %AllUsersProfile%\Application Data\m4f4a0x0\m4f4a0x0.i (random)
• %UserProfile%\Desktop\System Adware Scanner 2010.lnk
• %UserProfile%\Start Menu\Programs\System Adware Scanner\System Adware Scanner 2010.lnk

Create new registry entries (some name of registry entry are random):

• HKEY_LOCAL_MACHINE\software\m4f4a0x0 (random)
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\SystemAdwareScanner2010
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noterminate
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “m4f4a0x0″ (random)

Screenshots:

How to remove the infection of System Adware Scanner 2010 (Adware.Win32.SystemAdwareScanner2010)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: Rogue, System Adware Scanner 2010

This entry was posted on Thursday, December 17th, 2009 at 16:58 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.