Windows Personal Doctor – FAKE AV a new variant of Windows Personal Detective/ Windows Basic Antivirus

Windows Personal Doctor is the latest rogue security product spreading across the internet. Once infected with this Fake AV it terminates running instance of several security related process. Will display annoying fake alerts saying your system is infected. Usually these Fake AV’s are distributed through malicious domains, here the domain is security-safe-2012-ddgfdgff.info/cba49fa4efefc673/setup.exe. This 'setup.exe' is an archive containing the file '4fpx4r7s6b2f184.exe' you can extract it using 7-zip. Again '4fpx4r7s6b2f184.exe' is a password protected archive containing the original malware "Filesystemscan.exe". The reason for malware using multiple layer of protection is to evade from signature detection.

Filename: Setup.exe

MD5: AC0B10D6D112357731760EDAED700AEF

SHA-1: 17A1C899A0973BDDFEC0AA7A872720C75191390E

Filename: Filesystemscan.exe

MD5: 35A925E1586B5413932651E82F559EDF

SHA-1: B89A960E739DAC209F6E2F91EC8D5A1367BDAE6C

The “Filesystemscan.exe” upon execution does the following system changes,

C:\Documents and Settings\Administrator\Application Data\Protector-yiw.exe               

C:\Documents and Settings\Administrator\Application Data\result.db

C:\Documents and Settings\Administrator\Desktop\Windows Personal Doctor.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Windows Personal Doctor.lnk

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableRegedit 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableRegistryTools

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableTaskMgr

HKCU\ Software\Microsoft\Windows\CurrentVersion\Run         Inspector \Application Data\ Protector-yiw.exe

It disables Windows Defender Service (WinDefend) and Microsoft Protection Service (msmpsvc). Also, prevents the user from running several security tools in the infected PC.

It does a fake scan on the system and shows some infection has been indentified but its all fake, they are designed to show some results so that people will fall prey for it. To make the user believe it inherits some of the legit system functions like Service Manager, Autorun(Startup) Manager, Process controller, etc.

Above seen results are predefined and they are retrieved from the file result.db and displayed. We already know result.db is dropped by this Trojan. So, it’s all fake to trick you buy the rogue product. Below seen is the hex view of result.db showing the data used for displaying in the fake results.

When you try to get rid of the infection by clicking remove all or clicking anywhere on the rogue program you will be only prompted with a window to activate the product.

Don’t ever enter your personal details when prompted by these rogue product; you will lose your money. Below seen is the fake payment window used by the Trojan to collect user Credit card and personal information.

Sites contacted by this Trojan:

http://galaint.online-secure-pay.info

http://online-secure-pay4.info/service/