Microsoft MMPC team wans of a new fake “System Defragmenter” family (FakeSysdef). It’s a rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers — to extract money.
IT’s common strategies include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.
FakeSysdef uses a few different packers that in turn, uses an anti-emulation trick in its bid to thwart emulators.
The main executable component arrives as an EXE file and acts as a loader. It first terminates the IE process if found running. On computers running Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following: “C:\Documents and Settings\All Users\Application Data\aJnsgXnTGrqWD.DLL”
It injects the DLL to the specific process name EXPLORER.EXE.
There’s a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.
The DLL is identified by reviewing the registry data “<DLL_PATH>”: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
“AppSecDll” = “<DLL_PATH>”
The bitmap is stored as either “wall.BMP” or “<random>.BMP” in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”.