As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder. In user’s computer, downloader was found in the following directory.
C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe
Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.
Figure 1 – Example of site the downloader was originally downloaded from
In this blog post, I would like to introduce one variant of the widely spread malware family, often detected by avast! as “Reveton.” Reveton is classified as ransomware; a program which locks your computer and expects an action, usually the payment of money. Unless the desired amount of money is paid or the malicious application is removed, you cannot do anything with your computer.
In the screenshot below (figure 1), you can see an example of the fake United States Cyber Security notice. Cybercrooks cleverly try to convince the user that activities which violate the law have been detected on his computer. In the sample we analyzed, the user is being accused of illegally downloading and distributing copyrighted contents.
To mimic a realistic look, the United States Cyber Authority logo as well as basic information about the user’s location (IP, Location, IPS) are shown in the upper left corner. A black and white image resembling a web camera is shown in the upper right corner. This creates a feeling that the user is being watched by authorities right now via an integrated web camera. Most computers nowadays have integrated web cameras, however, at the computer where our analysis was performed, no web camera was present, but the video recording image was still shown.
Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer. It’s just there, wanting to trick you to buy a license.
Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.