XPDefender

[Malekal_morte]

XPDefender est un rogue qui se dit pouvoir nettoyer les traces laissées par les sites visités, ce dernier va afficher des alertes si vous surfez sur des sites pornographiques disant que des traces restent sur l'ordinateur.

Le seul but de ces fausses alertes est de vous faire acheter ce faux anti-spyware.



L'infection ouvre des popups d'alerte en bas à droite "Windows Kernel Files - Help Speed up your PC"
Des erreurs détectées pour vous faire acheter le rogue.



L'infection ouvre aussi un faux centre de sécurités/Help And Support Center avec Windows Performance 4

[Malekal_morte]

Une autre variante d'infection avec modification du fond d'écran et le message : Warning : Spyware threat has been detected on your PC




Alertes & redirects vers hxxp://antispywaresupdates.net qui propose divers rogues..

[Malekal_morte]

Fausse fenêtre d'alerte NOD32, si vous cliquez dessus, ce sont des rogues qui sont proposés en téléchargement.


Les traditionnels bulles d'alertes...


Les messages d'alertes que vous pouvez obtenir via l'icône d'alerte ou popup :
#CR##CR#Download étant remplacé par le nom d'un trojan (généralement qui n'existe pas) récupéré sur un site WEB.

Your computer is infected with spyware!
Windows has detected spyware infection on your PC.#CR##CR#It is recommended to update your antispyware protection to prevent data loss. Click here to download and install the most up-to-date antispyware for you.#CR##CR#Click here for more information...
Warning:
Your computer is infected with spyware!#CR#Help to protect your computer and remove spyware!#CR##CR#Click here for more information...&
Your security and privacy are at risk!k
Spyware has been detected on your computer!#CR#Click here to run a FULL SYSTEM SCAN to protect your data...
Your computer is working slowly.
Slow operation speed might have been caused by spyware.#CR##CR#Download latest antispyware software and run FULL SYSTEM SCAN to remove viruses and spyware.#CR##CR#Click here to start downloading...!
Internet attack attempt detected:
Somebody's trying to infect your PC with spyware or harmful viruses. Run FULL SYSTEM SCAN now to protect your system from Internet attacks, hijacking attempts and spyware.#CR##CR#Click here for the list of available security updates...1
Your computer is not protected against spyware...
Spyware able to steal your data including passwords, credit card numbers, etc. Scan your computer for spyware immediately!#CR##CR#Full system scan is highly recommended.!

Spyware is a software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent first. Spyware send gathered information to its creators through your Internet connection. Gathered information can be passwords, credit card numbers, e-mail addresses and all that data, which is important for you.

Update Windows antispyware protection and remove detected threats.
Possible spyware infection has been detected on your computer by Windows Security Center.
Windows Security Center system warning
Click here to visit Windows Security Center web site...
To remove detected threat you need to update Windows antispyware protection.

Slow operation speed might have been caused by spyware.
Download latest antispyware software and run FULL SYSTEM SCAN to remove viruses and spyware.
Your computer is working slowly.

Le rapport HijackThis de l'infection :

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {99962bf4-1dd1-11b2-9a10-ce81b547f39d} - C:\WINDOWS\azwbizqb.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [cvmlarwh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\cvmlarwh.dll"
O4 - HKLM\..\Run: [drmsrv32] c:\winipug.exe

[Malekal_morte]

L'infection place un Hook (Hook_CALLWNDPROC) sur Internet Explorer


Ceci permet de manipuler le navigateur en remplaçant l'url hxxp://antispywaresupdates.net par about:security mais surtout, il est impossible de modifier l'adresse pour se rendre sur un autre site WEB.
Le Hook efface et replace automatiquement l'adresse about:security.
Voici une vidéo qui vous le montre :

https://www.malekal.com/fichiers/spywares/Ultimate.mpeg

[Malekal_morte]

Quelques scans VirusTotal relatifs à cette infection : http://forum.malekal.com/viewtopic.php?f=62&t=8270