Blackhat SEO used to spread SystemVeteran Rogue Software

Strategies used by cyber criminals to spread rogue software and other dangerous threats such as ZeUs Trojan or Zlob are always more oriented to web-based-spreading using Blackhat SEO and Social Engineering to let the user download and install the malicious executable file.

The most used method is to create a webpage, generally with pornographic content, that displays a fake image of a video and warn the user that to play and watch the video is needed the download and installation of a special codec or a false adobe player.

This is the case of the malicious website named get2(dot)tv that is using a massive comments spam strategy to promote the download of a false video codec letting the user think it is Adobe Flash Player and that its installation is needed to watch the fake video. The malicious website spammed its url with false queries, mostly oriented to porn or adult text, and used Blackhat SEO strategies to be sure to get more visitors and possibly more victims.

If we click on the link to download the false codec we receive a request to install a file named setup.exe but it is not downloaded from get2(dot)tv but from another malicious site named szickfrost.com that hosts the infected file:

Screenshot

File Name:	setup_exe
File Size:	53295 bytes
MD5 Hash:	b005bee770d23120f0bdc571865536ca
SHA1 Hash:	334A9E2DCABB62C97A6BA94F905F75827CA9F4B0
Detection Rate:	3 on 18 (16.66%)
Status:	        INFECTED

When the downloaded file is executed, it connects to another malicious website named systemveteran(dot)com to download two new executable files in the temp folder that are immediately executed:

Exe Files Screenshot

From the first image of the program, that is being installed by the false video codec file setup.exe, we can see that it looks like a rogue security software named SystemVeteran and has already detected 46 so-called infections in our system:

SystemVeteran Screenshot

The funny part of this rogue security software is that it dropped in our system folders more than 100 files, with random name, that are then detected by SystemVeteran during the scanning process. Basically this program, when installed, drop a lot of infected files in our system folders so the user know that the files exists in the system and then it alert the user that his computer has been infected by thousands of malicious threats:

While SystemVeteran is running it displays security alerts on your desktop stating that your computer is under attack or that active malware has been detected. These alerts are just another tactic where they are trying to convince you that your computer has a problem and should be ignored. SystemVeteran purposely uses fake security alerts and false scan results as a method to scare you into purchasing the software.

When the program is executed, it creates the following files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
%ProgramFiles%\SystemVeteran Software
%ProgramFiles%\SystemVeteran Software\SystemVeteran
%ProgramFiles%\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
%User%\Desktop\SystemVeteran.lnk
%User%\Start Menu\Programs\SystemVeteran.lnk
%ProgramFiles%\SystemVeteran Software\SystemVeteran\Uninstall.exe
C:\WINDOWS\system32\4fz9threat225425.ocx
C:\WINDOWS\system32\28725not-z-vi9u5491.exe
C:\WINDOWS\10b4spywar5191z.exe
C:\WINDOWS\system32\6791not-azv5rus464.ocx
C:\WINDOWS\system32\5479t5ojz5f.cpl
C:\WINDOWS\system32\958edownloazer1459.cpl
C:\WINDOWS\5df159r2637z.cpl
C:\WINDOWS\7245t9iefz269.cpl
C:\WINDOWS\1906not9a-vizu5165.exe
C:\WINDOWS\z2099orm55.exe

The program creates the following registry entries:

1
2
3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemVeteran
HKLM\SOFTWARE\SystemVeteran
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemVeteran

Note that when installed, this program will be configured to start automatically when you load Windows by adding the registry value named SystemVeteran in the Run key.

How to remove SystemVeteran ?

Random Posts

Previous Posts