Defense Center – Rogue AV (June 25, 2010)


SonicWALL UTM Research team found instances of a new Rogue AV downloader being spammed in the wild with the theme “Statement of Fees”. The e-mail contains the downloader file inside the zip attachment.

Below is a sample e-mail:

Email Campaign – Statement of Fees

Subject: Statement of fees 2010

Attachment: (contains Statement_of_Fees_2010.DOC.exe)

Email Body:
Please find attached a statement of fees as
requested, this will be posted today.
The accomodation is dealt with by another
section and I have passed your request on to them

Kind regards.
{email sender}

The e-mail message looks like below:


Malicious executable file inside the zip attachment disguise itself as a document file via Microsoft Word icon:


Once the user runs the executable file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED)
  • http://(REMOVED)
  • http://(REMOVED)

Prior to downloading the Rogue AV, it will first do the following system activities:

  • To ensure that only one intance of this downloader runs in the memory, it creates a mutex: AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
  • Adds the following in the registry:
    Key: [HKEY_CURRENT_USERPrintersConnections] Data: “subid”=”landing”
    Data: “affid”=”396”
  • Creates the file _favdata.dat at Documents and SettingsAll UsersFavorites folder with the following content:
  • Verifies that the location of the user is not in the following list before continuing its installation:
    – Azerbaijan
    – Belarus
    – Czech Republic
    – Kazakhstan
    – Kyrgyzstan
    – Poland
    – Russia
    – Ukraine
    – Uzbekistan

Rogue AV Installation




    Files Added:

    • (Temp)wscsvc32.exe – GAV: Conficker.gen (Worm)
    • (Temp)autmgr32.exe – GAV: Tibs.JF (Trojan)
    • (Program Files)Defense Center
    • (Program Files)Defense Centerdefcnt.exe – GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefext.dll – GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefhook.dll – GAV: Conficker.gen (Worm)
    • Documents and Settings{User}Start MenuProgramsDefense Center
    • Documents and Settings{User}Start MenuProgramsDefense CenterAbout.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterActivate.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterBuy.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center Support.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterScan.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterSettings.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterUpdate.lnk

    Registries Added:

      Auto Startup Entry
    • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
      Value: Defense Center
      Data: “”C:Program FilesDefense Centerdefcnt.exe” -noscan”
      Disables Task Manager
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
    • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
      Shell Spawning
    • Key: HKEY_CLASSES_ROOT.exeshellopencommand
      Value: @
      Data: autmgr32.exe /START “%1″ %*”
    • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
      Value: @
      Data: autmgr32.exe /START “%1″ %*”

    Registries Modified:

    • Key: HKEY_CLASSES_ROOT.exe
      Value: @
      Original Data: “exefile”
      New Data: “secfile”

    After installation, the Rogue AV will pretend to perform full system scan for any malware infection. At the end of scanning it displays fake results indicating malware infection on the system:


    Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.



    SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

    • GAV: TDSS.BHKV (Trojan) – (6,204 hits)
    • GAV: Tibs.JF (Trojan)
    • Tdss.BEEA_2 (Trojan))
    • GAV: Conficker.gen (Worm)


    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.