Skip to content
Which type of operating system are you running?



24 June 2009

Malware Doctor - Another rogue security application installing through security holes

by Roger Karlsson

About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor.

This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red:

Screenshot of Malware Doctor 
FreeFixer v0.41 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-06-23 23:14


System policies
HKCU\..\policies\system, DisableTaskMgr = 1
HKCU\..\policies\system, DisableRegistryTools = 1

Browser Helper Objects
{AFF01325-0FC2-4749-8914-FBF0565AD9CC}, Chrome copyright, jbnmck.dll(file is missing)

Registry Startups
HKLM\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe

Processes (17 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program\FreeFixer\freefixer.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe

Services (34 whitelisted)
avast!Antivirus, , c:\windows\system32\avast!antivirus.exe

Recently modified files (1 whitelisted)
16 minutes, c:\Documents and Settings\LocalService\Application Data\1361538659.exe
16 minutes, c:\WINDOWS\system32\jbnmck.dll
16 minutes, c:\WINDOWS\system32\avast!Antivirus.exe
16 minutes, c:\WINDOWS\Temp\wpv521245837260.exe
7 days, c:\Program\FreeFixer\freefixer.exe
36 days, c:\Program\FreeFixer\Uninstall.exe

Comments

No comments posted yet.

Leave a reply