Malware descriptions

Rogue Anti Virus: Scaring people with Task Manager

Rogue antivirus programs have been around for years now, trying to scare people into buying fake products.
This time, Desktop Security 2010 RogueAV comes with an interesting new trick to frighten users.

The main rogue component creates a remote thread in taskmgr.exe in order to call LoadLibrary from its dll component: taskmgr.dll.

This dll is part of the scare tactics.

As you can see in the screenshot below, the words “virus free” and “infected” were inserted in front of process names:

The dll is packed with a custom packer. Once the dll has been unpacked, it’s easy to find out how it performs the modification.

Here is a small snippet from the unpacked dll to understand how it manipulates Task Manager:

As you can see above, it uses the SetColorText API function to change the text color. A comment has been added to the color parameter on the screenshot.
Finally, the DrawTextA API function is used to add the text.

This is a simple but effective trick to scare those people who use Task Manager to detect and remove malware.

Rogue Anti Virus: Scaring people with Task Manager

Your email address will not be published.

 

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox