Me on Twitter
24 June 2009
Malware Doctor - Another rogue security application installing through security holes
by Roger Karlsson
About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor.
This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red:
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-23 23:14 System policies HKCU\..\policies\system, DisableTaskMgr = 1 HKCU\..\policies\system, DisableRegistryTools = 1 Browser Helper Objects {AFF01325-0FC2-4749-8914-FBF0565AD9CC}, Chrome copyright, jbnmck.dll(file is missing) Registry Startups HKLM\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background HKCU\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe Processes (17 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\System32\NOTEPAD.EXE C:\Program\FreeFixer\freefixer.exe C:\WINDOWS\System32\avast!Antivirus.exe C:\Documents and Settings\LocalService\Application Data\1361538659.exe Services (34 whitelisted) avast!Antivirus, , c:\windows\system32\avast!antivirus.exe Recently modified files (1 whitelisted) 16 minutes, c:\Documents and Settings\LocalService\Application Data\1361538659.exe 16 minutes, c:\WINDOWS\system32\jbnmck.dll 16 minutes, c:\WINDOWS\system32\avast!Antivirus.exe 16 minutes, c:\WINDOWS\Temp\wpv521245837260.exe 7 days, c:\Program\FreeFixer\freefixer.exe 36 days, c:\Program\FreeFixer\Uninstall.exe